[dns-operations] difference between dns spoofing and dns hijacking?

wbrown at e1b.org wbrown at e1b.org
Tue Jul 24 12:25:14 UTC 2018 

From: "Lauren C." <lauren at miscnote.net>

> While the DNS hijacking involves a malware, the DNS Cache poisoning 
> involves overwriting your local DNS cache with fake values that redirect 

> your browser to malicious websites. ... Though DNS Cache Poisoning and 
> DNS Hijacking are used interchangeably, there is a small difference 
> between them.
> 
> Not very sure about the explanation.
> Can you kindly expand it?

The ultimate goal of a DNS attack is to get you to go to a server under 
the malicious actor rather than the one you would like.  In my mind there 
are two ways to attack DNS. 

The first is to modify the authoritative data.  This can be done by 
hacking the authoritative DNS servers and mondifying the data there.  It 
can also be done by hacking the registrar and pointing the domain to DNS 
servers with the modified data.  I consider either of these "Hijacking". 
It does not necessarily involve malware.  A good social engineering attack 
to get the registrant's credentials to modify their data at the Registrar 
(including DNS server info) qualifies in my definition.

Cache poisoning is a little more clear cut (at least to me).  Somone 
manages to convince my local caching server that example.com has an 
address other than what the authoritative server say.  When I ask the 
local DNS for example.com, it will answer from the cache and give me the 
bogus data.  This will work until the TTL expires, or the bad data is 
flushed for other reasons.  If the cache is re-poisoned, the scenario 
repeats itself. 

Hope that helps.

Bill



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.

More information about the dns-operations mailing list