Domain name system (DNS) poisoning is a hacking technique that deploys DNS vulnerabilities to reroute traffic from a legitimate site to an exact copy of that site.
Once a user is on the fake site, hackers can capture login credentials, install malware and commit many other scams.
What is DNS?
Every computer and server is associated with an IP address: A unique set of numbers that identifies computers and servers and allows them to communicate with each other over a network. An example of what an IP address looks like would be the following with numbers replacing the Xs: XXX.XX.X.XX.
DNS is what translates an IP address into human readable text, such as transferring the IP address 220.127.116.11 into www.adamlevin.com. This allows web browsers to enter a user-friendly domain rather than a lengthy string of numbers, and still land on the desired web page.
How does DNS Work?
Typing in a URL and visiting a website is a simple task. Yet what happens behind the scenes is more complex, and DNS is integral to the process. Here’s how it works:
- Each time a domain is entered into a web browser, a DNS server is contacted. A DNS server must be contacted in order to receive information on what web page should be loaded.
- When contacted, the DNS server will look up the numerical address – i.e., the IP address – associated with the domain entered in the search bar.
- A DNS resolver completes the query, meaning that the domain entered into the search bar is translated to the IP address. If the IP address is correct, a web browser is brought to their desired destination online.
When the IP address is wrong, visitors are rerouted to a website staged to hack visitors. Enter DNS poisoning, where cybercriminals interrupt the DNS interaction to hijack website traffic to malicious websites.
It works by “tricking” the DNS server into processing a forged response of the IP address the DNS server should be looking up (i.e., which webpage the user should be directed to based on the domain they entered).
For example, if the correct domain and corresponding IP address is www.adamlevin.com and 18.104.22.168, and the domain and IP address of the fake website is www.whatthehackpod.com and 22.214.171.124, the attacker will poison the DNS server by sending the IP address of the fake website (126.96.36.199) to the URL www.adamlevin.com.
Hackers can respond to a DNS server with the wrong IP address quickly, and long before the correct server can do so, allowing criminals to intercept traffic.
What do DNS Poisoning Attacks Look Like?
DNS poisoning is a particularly deceptive form of cybercrime that can easily mislead users to think they are on a legitimate website. This results in users browsing a hacker’s facsimile webpage and being prompted to click on infected links, thereby installing malware onto their computer. It can also involve being prompted to log into what the user believes to be their legitimate account on a banking or email application, granting the hacker access to their credentials and other types of Personal Identifiable Information (PII).
In one example, scammers redirected web traffic from users attempting to access their MyEtherWallet account (a popular cryptocurrency wallet) to a fake website to capture their login credentials. The attackers were then able to log into the victim’s legitimate MyEtherWallet accounts and drain $17 million worth of cryptocurrency funds.
How can you protect yourself?
For the average online user, options to protect oneself from DNS poisoning are limited; the ability to prevent such attacks depends on the website owners and server providers’ security.
Website owners and server providers should consider installing DNS poisoning detection tools, domain name system security extensions (DNSSEC), and end-to-end encryption. For average users, it’s critical to never click a link you don’t recognize, regularly scan your computer for malware, and consider using a Virtual Private Network (VPN) when browsing the web.