[dns-operations] difference between dns spoofing and dns hijacking?

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jul 24 08:37:50 UTC 2018


On Tue, Jul 24, 2018 at 03:30:02PM +0800,
 Lauren C. <lauren at miscnote.net> wrote 
 a message of 18 lines which said:

> While the DNS hijacking involves a malware, the DNS Cache poisoning
> involves overwriting your local DNS cache with fake values that
> redirect your browser to malicious websites. ... Though DNS Cache
> Poisoning and DNS Hijacking are used interchangeably, there is a
> small difference between them.
> 
> Not very sure about the explanation.

Unfortunately, there is no standard terminology, and, even if there is
one, the media speaks more or less at random (anything involving the
DNS becomes "cache poisoning").

(The IETF is working on a new version of the RFC on DNS terminology,
but attacks like cache poisoning are not in it.)

Among the possible attacks (you're welcome to label them as you want):

* exploiting a weakness in the security of the account at a registry
or registrar to modify the database, then changing the DNS
authoritative data (example: wikileaks.org, august 2017) Probably the
most common attack.

* a malware changing the DNS resolvers configured in the local
machine, thus directing clients to a rogue resolver (example: DNS
changer, 2009) The Alter attack of 2018 is a variant of that, changing
the IP address of the resolver in transit, and not in the local
configuration.

* replying before the authoritative server in the hope that the reply
will be accepted by the resolver, and cached (read RFC 5452 for
details). Old trick, improved by Kaminsky in 2008.

* hijacking BGP to redirect to a rogue authoritative server (example:
MyEtherWallet.com, april 2018) Not very common.

* hijacking local routing to redirect to a rogue resolver. Often used
against public resolvers like Google Public DNS (example: Turkey in
march 2014)

* and many others.






More information about the dns-operations mailing list