DNS Poisoning – CompTIA Network+ N10-007 – 4.4

DNS poisoning can be an effective way to attack many devices at one time. In this video, you’ll learn how a DNS poisoning attacks can be implemented.

<< Previous Video: Ransomware Next: Spoofing >>

The domain name services are a critical part of our IP networking. These are obviously the servers that are taking the names that we provide and give us IP addresses in translation. If you’re able to modify the information in the DNS server, if you are able to manipulate the information inside of this DNS server, then you could potentially send someone to an IP address that isn’t necessarily where they thought they were going.

One way to do this is to modify the files that are on the workstations. If you change the client’s host file, for example, it won’t even make the request to a DNS server. You can simply direct someone to an IP address based on what you put on the file on that person’s machine.

Changing the contents of a single file across a large number of devices may be too difficult to manage. That’s why many bad guys focus their efforts on changing what’s in the DNS server. That way, the clients don’t have to be changed. You just make one change on the DNS server, and now the response to all of those clients has been updated with whatever the bad guy would like.

There’s many different ways to do this, but most of them involve taking control of the DNS server. Here’s how this might work. You’ve got a couple of users that will need access to professormesser.com. There’s a bad guy down here who’s going to want to poison the DNS server.

And then you’ve got the DNS server itself, which has professormesser.com and the IP address for my web server. User number one is going to make a request to my DNS server and get the appropriate IP address for that particular domain. And it will register and keep that information in its cache.

Before the second user is able to make the exact same request, the bad guy is going to take control of the DNS server and make changes so that the professormesser.com address is now pointing to a completely different IP address. Now, each subsequent user to the DNS server will still get a response from professormesser.ccom, but it will contain a completely incorrect IP address. Now the bad guy has control of where people will be going every time they type in professormesser.com.