Security 101 : DNS poisoning
DNS poisoning changes the HOSTS file - maps hostnames to addresses - . It works by changing an IP addresses to point to a malicious site instead of the original one.
DNS poisoning redirects requests accessing the DNS server to the wrong - malicious - machine.
DNS servers exchange and synchronize information between themselves using zone transfers.
Below is a simple diagram that describes this attack:
- Attackers send the wrong DNS entries to a "valid" DNS server through their malicious DNS servers - using zone transfers -.
- Some "vulnerable" DNS server don't check the DNS data sent to them, and they end up storing wrong data locally and also diffusing it to other DNS servers through zone transfers.
- The attackers send a request to a DNS server asking it to resolve the name "www.wrong.com".
- The DNS server asks the authoritative nameserver for that address which is the malicious DNS machine "ns.wrong.com".
- The malicious DNS server "ns.wrong.com" sends back the address of "www.wrong.com" along with other wrong records that point also to malicious machines through a zone transfer.
- subsequent requests to the valid DNS server will answer with wrong records.