We help IT Professionals succeed at work.

DNS spoofing

Ted asked
I had a partner claim that his small business was subject to a DNS attack where his staff's browsing was redirected to bogus sites.  And the attack was done from the OUTSIDE.
I think I understand how such an attack is made... you perform a man-in-the-middle where you intercept the DNS query and then return to the client an IP address to a site that you really want them to go...
But how is that really done if the attack is from the public internet?  How do you actually get the clients to send the query to you instead??  I promise I won't turn you in ;-) and I certainly am not going to do this, but how is this physically done??  Don't you have to have a registered DNS server at your control?? And don't you have to be able to hack into the client machines to change their pointers??
Is this a common occurrance?
Watch Question

I have seen that done via virus's and spam as they do that to get your passwords credit card numbers etc by using their own web site that looks exactly like the real thing

to fix this run an antivirus and when there are no virus's do from cmd
ipconfig /flushdns
which takes everything in the local resolver cache (local dns ststem) out and when done type
ipconfig /displaydns

it should have not much in just a localhost and maybe a another to the local router but nothing else

then when you go to a website the local resolver cache gets the answer from dns and inserts it in the local resolver cache
The concept is quite simple actually. DNS exists on two 'layers' between a computer and the destination. First, The local machine has DNS records on their machine that tells it where to resolve say Google.com. the local machine isn't doing any of the work here (except maybe the cache if it's been visited before). The request shoots out to wherever local DNS tells it to go and in turn that Destination provides the translation, which however non-authoritative it may be, could be anything.  
I'm not insulting your knowledge of DNS, just breaking it down simply.
The hard part isn't creating a malicious DNS server, so I think where you're confused is how the local machine gets pointed to the malicious server.
For windows boxes, very simple:


So use your infection exploit of choice on a Windows machine change that registry key, protect it a bit, make sure it stays resident and voila, the infected machine is now using your malicious DNS server.

You may hae heard recently of teh FBI taking over a few malicious servers then shutting them down after a while after letting infected users (Govt. agencies, Forbes companies, and average Joe users:


I'm just providing a simple example, there's other methods of Cache Poisoning that are alot less hacky.


So thru the virus or spam do they get your local machine password and then go in there to change your local resolver's parameters?

Do they get into your local DNS server and change its entries?

How are they doing it?


I just hit "send" and didn't see that last comment...
Reading it now... thanks
Nah you don't need a password for the machine. I see garden variety Malware do this type of crap all the time. They love popping in and switching your proxy settings, making it so all requests go through their proxy before 'sending you to the correct page' You've seen it i'm sure when Internet Explorer just serves random pages when you click on a link in Google, or how you can never get to an antivirus site when you're infected.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

Anyway there's lots of TCPIP settings that can be changed that will break connections or send them somewhere else.



DhcpNameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx

NameServer = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx

Again, even garden variety malware takes advantage of this, and usually just by serving a malicious page that Internet Explorer hasn't patched a vulnerability for.
Which is why I guess I can't wrap my skull around why the FBI had to get involved with the DNSChanger Virus, I mean it was pretty low tech actually, just took someone with the stupidity to actually try it.

well you download a virus and if you are admin then I can do it through your admin account

a lot of windows virus uses api calls I think so its like a system file doing the damage I have seen that many virus's act as system files for doing that kind of thing and others in the last few years

no they are just updating the local resource cache
There's a few routes to go, but yes you're essentialy running the code as the authenticated user already (though not necessarily). If the authenticated user has administrative privelages or just quickly clicks "allow" in order to get on with install of whatever useless piece of crapware they think they need, then that's all it takes, now that process and everything associated with it future or otherwise get run in that context. Or like Ian states, if there's holes in the API/WMI/RPC/DCOM (of which there are many) then the code gets run as SYSTEM, see above.
I think we're getting away from the DNS question and more into a generic discussion of how infections happen. I don't think the internet needs any more 'how to' guides in regards to this. Ask 5 programmers how "they'd do it" and you'll get 5 different answers. Suffice to say I've thought about this on occasion (as has any honest programmer) and could conceptually achieve it quite easily again, it's not that hard.

The 3 mistakes that allow this kind of nonsense to go on are essentially:

1. Running Windows in the first place (not a *nix fanboy here just logical enough to follow the money)
2. Running Windows as an administrative user all the time. FFS make a regular user account and drop down into root when you need to install something. Now watch as no malicious code can run under your regular user (mostly)
3. Not keeping your system patched, there's a reason you gotta update every other day, cause as soon as these holes are found they're patched. *nix is the same way there's constant updates getting pushed through Synaptic. It's just the way it goes.
Leon FesterSenior Solutions Architect
I had a partner claim that his small business was subject to a DNS attack where his staff's browsing was redirected to bogus sites

I highly doubt this to be the case...more than likely that his computers had a virus.

Besides, if he knew enough to tell you that it was hacked from the outside, then surely he'd have the skills/knowledge to have protected himself from such an attack.

Ask him how he fixed the problem?


I did ask him and he said that his IT adjusted his firewall, he didn't get specific though.
Should I believe him?


Just curious if you know of an actual successful DNS attack where users were re-directed to a bogus site, and if so, how was it fixed?
hows this one for ya mrkent?


That's old news, it affected/infected half of the Fortune 500 companies and half the major Govt. Agencies something like 400,000 users in the US.
And it's not fixed (albeit through their own procrastination). The FBI is intending on shutting down the responsible DNS servers that they siezed months ago effectively cutting off the infected machines from the internet until they clean their own computers/networks.

Here's the summary: Your computer is infected from the 'public internet', said infection changes the local computers primary DNS servers (the ones it uses to get to the 'public internet'), you send a request to google.com and your 'new' malicious DNS server accepts your request over the 'public internet' and instead of sending you to it sends you to Without DNS your computer has no idea what google.com is, and your new malicious server is happy to send you anywhere it likes.
I do it all the time developing websites, I have my own DNS server...anyone can, most businesses do. If I'm making yournewwebsite.com and it's hosted on my dev server during development I still need to reach it by domain name. I use my local DNS server which is for all intents and purposes a mirror of the real world except i have A records pointing yournewwebsite.com to my local dev server. AND if your machine in anytown USA were using my DNS server you'd see that too, everyone else in the world using legit DNS would get a 404 cause it's my DNS server and I'm sending you where I want you to go. I infect your machine and all the sudden google.com pulls up cashforass.com.

Why are you having such a tough time believing your 'Partner'. I've explained ad nauseum how the infection could happen, what in DNS allows it to happen and even alluded to methods to make it happen.

If I'm alone and crash my car and say, "Well a deer jumped out in front of me and I ran off the road" No one can prove anything except that deers are capable of running out in front of cars and have been known to do so. We have no idea if your partner fell prey to that attack only that it is possible which was the point of your question.

Me thinks you didn't read my previous posts.


Nope, I just have a terrible memory.

Thank you!



Explore More ContentExplore courses, solutions, and other research materials related to this topic.