[dns-operations] difference between dns spoofing and dns hijacking?
Doug Barton
dougb at dougbarton.email
Sat Aug 4 05:17:51 UTC 2018
On 08/02/2018 11:43 AM, John Levine wrote:
> In article <alpine.DEB.2.20.1808021112290.3596 at grey.csi.cam.ac.uk> you write:
>>> Is this a "hijack" or a "spoof" or a "poison" attack?
>
> If I were defining these things, which I don't at this point think I
> am, I'd say a DNS hijack involved taking over the legitimate owner's
> facilities such as a registrar account or DNS server to inject false
> data. A spoof injects false data by tricking the recipient to accept
> data from an illegitimate source.
>
> If we wanted to try and distinguish poison from spoof, I'd wave my
> hands and say that poison somehow involves piggybacking bad data on
> good data.
The term cache poisoning has long referred to the act of trying to get
the malicious reply in ahead of the legitimate reply after a resolver
initiates a query. Bonus points if you can somehow prompt the resolver
to make the query in the first place.
Spoofing generally involves getting a target resolver to query a domain
you control, and including bad data in the response, usually in the
ADDITIONAL section.
But all three terms are used nebulously, so I wouldn't claim AUTHORITY
on these definitions. :)
More information about the dns-operations
mailing list