T 5.78 DNS spoofing

To be able to communicate with another computer in the Internet, one needs to know its IP address. This address consists of 4 sets of numbers between 0 and 255, e.g. 194.95.176.226. As such numbers are not very easy to memorise, almost all IP addresses are assigned names. This method is termed DNS (Domain Name System). Consequently, the WWW server of the BSI can be addressed under http://www.bsi.bund.de as well as http://194.95.176.226, because the name is converted into the IP address during polling.

The databases in which computer names are assigned IP addresses, and vice versa, are located on name servers. Two databases are available for allocation of names to IP addresses. The first database allocates IP addresses to names, while the second database allocates names to IP addresses. These databases need not be mutually consistent! DNS spoofing is said to occur when an intruder becomes successful in forging an allocation between a computer name and an IP address, i.e. assigning a name to a false address, or vice versa.

This allows the following types of intrusion:

• r-services (rsh, rlogin, rsh)

These services allow authentication on the basis of client names. The server knows the IP address of the client and requests its name via the DNS.

• Web spoofing

An intruder could assign the address www.bsi.bund.de to a wrong computer, which would then be addressed each time http://www.bsi.bund.de is entered.

The ease with which DNS spoofing can be performed depends on how the attacked network has been configured. As no computer can hold all the DNS information existing in the world, it always has to rely on information from other computers. To reduce the volume of DNS requests, most name servers temporarily store information which they have received from other name servers.

Once someone has infiltrated a name server, they are also able to modify the information it holds. Direct intrusion into a name server is not considered further here. Instead, the principal shortcomings of DNS are mentioned.

The two examples below are intended to describe different techniques of DNS spoofing.

1. A user on the computer named pc.customer.de first intends to access www.company-x.de and then the competitor's server www.company-y.de. To allow access to www.company-x.de, the corresponding IP address needs to be requested from the name server ns.customer.de. This server does not know the address either, and then requests it from the name server of ns.company-x.de. This server returns the IP address, which is forwarded by ns.customer.de to the user and stored. If, in addition to the IP address of www.company-x.de, the response from ns.company-x.de also contains any other IP address for the computer name www.company-y.de, it is also stored. If the user then tries to access www.company-y.de, the internal name server ns.customer.de no longer sends any requests to the name server ns.company-y.de; instead, it forwards the information supplied to it by ns.company-x.de.

2. Company X knows that a user on computer pc.customer.de intends to access a competitor's computer www.company-y.de. Company X prevents this by requesting the address of www.company-x.de from name server ns.customer.de. This server in turn has to request the information from name server ns.company-x.de, and consequently receives incorrect details on www.company-y.de as was the case in the first example.

These two examples are based on the assumption that name servers also accept additional data which they had not requested in the first place. New versions of certain software programs (e.g. bind) no longer contain this error, thus preventing intrusions by this means. However, IP spoofing can still be used to generate false DNS entries, although this type of intrusion is technically much more complicated.

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000