We love to explore the common security threats which are being leveraged against every cloud platform every day. These threats are never going away, so the best thing to do is understand and guard against them. Let’s find out How DNS Poisoning Attacks Work.
What Is DNS
DNS stands for Domain Naming System. Okay, but what’s a domain? A domain is just a name on the internet. So beatyconsultancy.co.uk is a domain. amazon.co.uk is a domain. And amazon.com is a different domain.
Cool, so why do we need a system for naming them – they’re already names, yea? Well yes they are, but computers don’t like names – they like IP addresses. What’s an IP address though (I promise this is the bottom of the rabbit hole).
An IP address is like a phone number for computers. An IP address is split into 4 sections, or “octets” and each octet goes from 0-255. So an IP address might look like 18.104.22.168.
It has an area code and then a unique number at the end. Amazon owns everything with an 8. at the beginning, so that’s kind of like the area code. then anything after that describes the computer at Amazon that you’d like to talk to.
You might have never seen an IP address before in your life, so you might think your business doesn’t use them. But you’d be wrong – and it’s all because of the magic of DNS. You see when you type in beatyconsultancy.co.uk into your web browser and smack the return key, your computer uses DNS to find the IP address for that domain. And that process uses… witchcraft. I’m joking, it uses DNS. I’m so funny…
There are DNS servers all over the world – thousands of them. Your Internet Service Provider most likely runs your DNS server for you. A great analogy is that of a phone book. You look up a name, and there’s that person’s phone number. With DNS, you look up a domain, and there’s that domain’s IP address.
What is DNS Poisoning
DNS Poisoning is when the Domain Naming System gives you a different IP address than the one the domain owner wants you to get.
Whenever anyone in the world types in beatyconsultancy.co.uk into their web browser, I want them to get OUR IP address. If they get a different one, they won’t get here, and they won’t see our awesome website. That would be bad. But what if they saw a different website instead of it just not working? What if it went to a competitor’s website? Or worse.
What if someone poisoned the DNS by telling it that beatyconsultancy.co.uk should point to their IP address instead of ours. And then their website looked a lot like ours. And then what if users were encouraged to log into their account on that website? Those usernames and passwords would be sent to the attackers website, and not ours. Now they’ve got your username and password, and they can go to our real website and use them.
Put simply, DNS poisoning is when an attacker the record in the “phone book”.
What Can We Do About It?
Well the good(ish) thing is that it’s not usually your problem. You most probably don’t run any public DNS servers. And these days, you probably don’t run any private DNS servers either – we have AWS Route53 for that. But if you do, just make sure they’re patched will you?
Keeping servers up to date is one of the easiest and most bulletproof ways to keep your systems secure. If you don’t already have a strategy for patching your servers, put it on the to-do list for this week. Honestly, just get it done as soon as you can.
There’s a fancy-pants new standard which uses certificates and encryption to make sure that any changes to DNS records are being carried out by the right people. Lots of DNS server packages support this now, but it’s a bit beyond the scope of this article. And like I say, we all live in the cloud now, so we don’t bother ourselves with running pesky DNS servers.
But what about things you can do today.
One of the tell tail signs that DNS has been poisoned, and you’re not heading to the website you thought you were is if the HTTPS certificates are broken. You know the little padlock on the address bar? Click that and click View Certificate, and you’ll see it belongs to the site owner. Okay, Content Delivery Networks muddy this a little bit, but we’ll cover those another day.
But basically, it’s really hard for an attacker to get a certificate for a website they don’t own. So even if they can poison the DNS server your computer checks to get it’s IP addresses for the websites you want to visit, the chances are they can’t also get a certificate. So if you get a big bad warning message telling you the certificate for this website is invalid – don’t ignore it!
Another way to check you are where you think you are on the Internet is to just look out for things that look out of place. Often when an attacker copies a website and sends you there via a DNS poisoning attack, they haven’t quite got everything looking perfect. Websites are made up of thousands of individual components, all linked together with intricate and exacting code. If any of it is wrong, the webpage can look really badly broken – or it can just look a bit… off.
And that’s all there is to it. Now you know all about DNS poisoning attacks, you’re much less likely to fall pray to one.