How Does DNS Poisoning Work?
When you navigate to a website, you type the domain name into a web browser press enter. This sends a DNS request to a DNS server. The DNS server translates the domain name in the query into an IP address. The DNS server resolves the request by sending the IP address associated with the domain name back to the user. The browser navigates to the domain and loads up the site you were looking for.
What if the DNS server returns an incorrect IP address? That’s exactly what happens when a DNS is poisoned and spoofed.
Consider this scenario: you’re searching for a street, but all the street signs have been swapped. You think you’re on 42nd, but you’re actually on 52nd. To make matters worse, your GPS has also been tricked.
Replace the street signs with domain IP addresses and your GPS with your DNS server. That’s how DNS poisoning or spoofing works:
A hacker alters IP addresses attached to domains in a DNS server with a fake DNS entry.
A user attempts to navigate to a specific domain, and the DNS server sends them to the IP address associated with that domain.
The hacker has altered the IP address in the DNS server, so the user is unknowingly sent to an incorrect IP address.
The IP address returns a domain that looks like the users intended site.
The user interacts with the copycat site and attempts to login, unknowingly sharing their password and username with the hacker.
There are a few methods to conduct DNS poisoning and spoofing, including:
Compromising a DNS server: An attacker directly hijacks a DNS server to reroute traffic from legitimate sites to other IP addresses.
Man in the middle attacks: An attacker positions themselves between your browser and a DNS server to route you from to a malicious IP address.
Regardless of the method, the end result is the same: redirecting web traffic away from its intended destination.
DNS Poisoning Attack Examples
How To Detect and Prevent DNS Poisoning
As the MyEtherWallet example shows, detecting a DNS spoof is not instantaneous. It’s extremely difficult to detect manually, but security protocol and DNS spoof detection tools can help.