[dns-operations] difference between dns spoofing and dns hijacking?
wbrown at e1b.org
wbrown at e1b.org
Tue Jul 24 12:25:14 UTC 2018
From: "Lauren C." <lauren at miscnote.net>
> While the DNS hijacking involves a malware, the DNS Cache poisoning
> involves overwriting your local DNS cache with fake values that redirect
> your browser to malicious websites. ... Though DNS Cache Poisoning and
> DNS Hijacking are used interchangeably, there is a small difference
> between them.
> Not very sure about the explanation.
> Can you kindly expand it?
The ultimate goal of a DNS attack is to get you to go to a server under
the malicious actor rather than the one you would like. In my mind there
are two ways to attack DNS.
The first is to modify the authoritative data. This can be done by
hacking the authoritative DNS servers and mondifying the data there. It
can also be done by hacking the registrar and pointing the domain to DNS
servers with the modified data. I consider either of these "Hijacking".
It does not necessarily involve malware. A good social engineering attack
to get the registrant's credentials to modify their data at the Registrar
(including DNS server info) qualifies in my definition.
Cache poisoning is a little more clear cut (at least to me). Somone
manages to convince my local caching server that example.com has an
address other than what the authoritative server say. When I ask the
local DNS for example.com, it will answer from the cache and give me the
bogus data. This will work until the TTL expires, or the bad data is
flushed for other reasons. If the cache is re-poisoned, the scenario
Hope that helps.
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations