DNS Spoofing

If the DNS is spoofed, then reverse lookup authentications may fail.

Root causes

Running your own DNS is pretty easy. Putting false data in your server is even easier.

Multiple IP addresses may be associated with a single computer (multiple interfaces, for example).

Bad guy DNS server publishes bogus IP address for a victim's FQDN.

Subsequent DNS queries are sent bogus IP address, traffic is sent to wrong host.

This happened in summer 97 as part of the battle between InternNIC and AlternNIC over ownership of top level domains.

Bad guy DNS server advertises two addresses for itself, one legit, and the other bogus (i.e. the other belongs to another machine in reality), call it X.

A Java applet on the victim machine which came from the bad guy's domain attempts to open a network connection to X. The security manager asks DNS for the IP address of X, gets bogus information from the bad guy's DNS server, sees that the address for X is one of the addresses for the applet server, and allows the connection.

A network connection has been established to a machine from which the evil applet did not come.

DNS is based on UDP, making it easy to flood a client with bogus DNS response packets. If the bogus packets (this involves IP spoofing too) appear to be from the legitimate DNS server, then the client may accept one of these bogus responses.

Most nameserver software (on clients or servers) maintain a cache of resolved names for performance reasons. Some are not picky about caching DNS responses, even if those responses were never requested. This makes it possible for an attacker to fill the cache of a victim with bogus DNS mappings.

Java now takes the IP address for an applets origin out of the packet and only allows connections to that IP address, not to what DNS considers equivalent addresses.

Secure DNS

RSA Digital Systems donated technology license to the people who maintain a commonly used code base for DNS.