What are the types of DNS spoofing?

Question

I saw a post on here about how there are multiple types of DNS spoofing, it said: "DNS spoofing refers to the broad category of attacks that spoof DNS records. There are many different ways to do DNS spoofing: compromise a DNS server, mount a DNS cache poisoning attack (such as the Kaminsky attack against a vulnerable server), mount a man-in-the-middle attack (if you can get access to the network), guess a sequence number (maybe making many requests), be a false base station and lie about the DNS server to use, and probably many more."

But when I google 'types of DNS spoofing' I get no useful answer.

Can someone explain to me these different kinds of DNS spoofing and how they work?

Answer 1

I think you are using wrong keyword for this topic. These are different various of attacks against DNS server and one of them is also DNS spoofing.

DNS security threats and mitigations

Because of the open, distributed design of the Domain Name System, and its use of the User Datagram Protocol (UDP), DNS is vulnerable to various forms of attack. Public or "open" recursive DNS resolvers are especially at risk, since they do not restrict incoming packets to a set of allowable source IP addresses. We are mostly concerned with two common types of attacks:

Spoofing attacks leading to DNS cache poisoning. Various types of DNS spoofing and forgery exploits abound, which aim to redirect users from legitimate sites to malicious websites. These include so-called Kaminsky attacks, in which attackers take authoritative control of an entire DNS zone. enter preformatted text here

Denial-of-service (DoS) attacks. Attackers may launch DDoS attacks against the resolvers themselves, or hijack resolvers to launch DoS attacks on other systems. Attacks that use DNS servers to launch DoS attacks on other systems by exploiting large DNS record/response size are known as amplification attacks.

Continue reading over here: https://developers.google.com/speed/public-dns/docs/security#introduction_dns_security_threats_and_mitigations

Answer 2

There are many different ways to do DNS spoofing:

Compromise a DNS server

This one is as simple as it sounds. If the attacker controls a DNS server that is in the resolution chain that the victim is using, then the attacker can control which IP addresses domains resolve to.

The initial compromise would be via any normal method that an attacker would use to compromise a server - password guessing, weak SSH keys, reused credentials, vulnerabilities, leaked details, etc. Once they have control they can do what they like, including in regards to DNS responses.

Mount a DNS cache poisoning attack (such as the Kaminsky attack against a vulnerable server)

If the attacker can send enough responses to the server to cover the 16 bit query ID address space, they can make their victim's DNS server cache one of these rogue responses. Now, whenever the victim's machine queries the hostname, it will resolve to one of the attacker's choosing, rather than the real domain name. This is usually mitigated by using random source ports to increase the entropy pool.

Mount a man-in-the-middle attack (if you can get access to the network)

Again, as simple as it sounds. If you can intercept DNS response, then you can alter the IPs in the data stream.

Guess a sequence number (maybe making many requests)

This is essentially the Kaminsky attack, although you could execute it directly against the victim rather than the victim's DNS resolver.

Be a false base station and lie about the DNS server to use, and probably many more.

True. At the end of the day DNS is a network service, just like any other. Its unauthenticated and unencrypted nature means that it's game for eavesdropping and MitM attacks.

Other attack vectors could include dropping a hosts file on the victim's machine as a very easy way to redirect their traffic to a specific domain. A similar one is the badusb attack where the USB device acts as a network card, and provides rogue DNS settings to the victim's machine directly.