What is DNS poisoning (DNS spoofing)?

DNS poisoning (DNS spoofing) is a technique that hackers use. It imitates another device, user, or client. It acts as a cover, which makes it easier to disrupt the regular flow of traffic or reach protected information.

The attackers remodel a Domain Name System (DNS) into a spoofed one. So, when a client wants to visit a website, they will be directed to a completely different site, rather than opening the legitimate destination they requested to visit. Users usually don’t even understand that they have reached a fake site. That is because they are designed as same as the original site without any major differences.

After the attack is initiated, the traffic is directed to the non-legit server. Therefore hackers are capable of performing malicious actions, such as man-in-the-middle attacks and steal sensitive information. Another scenario is installing a virus to the victim’s computer and cause a lot of damage. Even further, they can place a worm to expand the harm to more devices.

How is DNS poisoning so dangerous?

DNS poisoning poses risks to organizations and also to individuals. Maybe the biggest risk is that once a device has become a victim of DNS poisoning, it is very challenging to solve the issue. This is because the poisoned device will continue to go back to the forged site. Besides, the DNS poisoning attack is very hard to be detected by a user. The attackers direct the traffic to a very similar website. In this situation, the visitor doesn’t identify that there is something wrong. The user inputs their sensitive information as usual and doesn’t realize that they exposed themselves to severe risk.

Here are some of the severe dangers that this type of attack includes:

  • Robbery

With DNS poisoning, it is easy for attackers to steal sensitive information. For example, logins for protected sites – banks, organizational systems, or information about house proprietary. The personally identifiable information is also valuable, like social security numbers or information details about payments.

  • Malware and viruses

After a visitor is led to a forged website, for the attackers is possible to access and install a host of viruses and malware to the users’ device. It includes a virus designed to harm their device and also other devices with which it interacts. On the other hand, the malware provides the attackers continuous access to the device and the information inside it.

  • Security blockers

With DNS poisoning, malicious actors can cause critical damage in a long time period. This happens through redirecting the traffic from security providers to block devices from getting essential updates and patches that keep the strong security. In this way, the devices are becoming more defenseless through time. So like that, the door is open for various other kinds of attack, such as Trojans.

What are appropriate protective measures against it?

There are possible ways to protect the resolution of the DNS name from being tampered with. As an example, by implementing DNS cookies that secure the integrity and authenticity of clients, DNS queries can be protected. Also, the servers and the information which is transferred between them. Another thing that can help with protecting against DNS spoofing is implementing a DNSSEC technology.

To create DNS tampering even more difficult, it is essential to use well-maintained and up-to-date software on routers, name servers, and all kinds of devices. This is because the weaker points for attack performed by attackers and malware are far less on the patched system.

Internet is a really large network. The current amount of interconnected networks, devices, servers, routers, data centers, etc., is massive. So it is the amount of information exchanged every day. If we could visualize all the data packets traveling worldwide every single second, the image could be really astonishing.

This constant transit and interaction of components for sure need order. Fortunately, the Internet’s creators took proper actions to avoid chaos, like developing the Internet protocol (IP) that was officially incorporated into the ARPANET (Internet’s ancestor) in 1983. The original version of such IP is exactly the IPv4 address. 

What’s IP?

The Internet protocol is a set of rules for communicating online. It’s in charge of ruling the format of the data moved across networks and the Internet. It also routes and addresses data packets to deliver them to their correct destination through the use of IP addresses. 

What’s an IP address? 

An IP address is an identifier for most of the components involved in a network. Devices, your computer, laptop, smartphone, etc., will need a private IP address to connect to a private network. When you connect to the Internet, you receive a public (also called global) IP address supplied by an Internet service provider (ISP). Servers also have a public IP address to operate.

Through IP addresses, the Internet identifies participants (devices) involved in every communication. IP addresses also provide their location in the network and make machines accessible to communicate and exchange data.

IPv4 address – definition.

IPv4 address is the addressing method that IPv4 uses. It is a numerical string formed by four groups of numbers (between 0 and 254), divided by dots. Example: 224.67.110.13. It’s a 32-bit address. 

IPv4 address is a connection-less protocol. Therefore it doesn’t need a previous arrangement between the endpoints (two) to operate. In other words, devices can send data to a recipient without checking its availability first. 

IPv4 defines packets’ format, addresses, and routes data. A lot of data is communicated every second on the networks. IPv4 can detect if those data are too big for being transferred to their destination. Then another protocol can divide them into smaller pieces, easier to be transported. After the IP address of their destination will be written on every data packet. Their route will also be defined. And here, their travel through routers, nodes, etc., starts until they hit their destination.

Devices need IPv4 addresses to connect to a network and being allowed to use its resources. Via IPv4, devices also can be identified and located on a network.

No matter its age, IPv4 is still a very popular IP version. Its replacement is ready and working, the IPv6. But to make, the whole transition until we don’t use IPv4 anymore is taking time. 

Pros of IPv4 address.

IPv4 addresses’ structure involves fewer numbers than the ones offered by the new version (IPv6). This reduces the margin of human errors during manual tasks.

Wider compatibility. Old and new systems support this version very well. Only new devices support IPv6.

Its topology is simpler and easier to use on networks.

Cons of IPv4 address.

IPv4 header allows a maximum of 60 bytes (typical 20). You can’t include many parameters.

There’s a shortage of IPv4 time ago. Due to this, the world is in transit to IPv6.

The still high demand for IPv4 and the lack of offer can drive you to pay a lot for it.

Conclusion.

Many administrators still prefer IPv4, but the need for IP addresses grows massively every day. Soon we will have to adhere to the new protocol. Meanwhile, well-done IPv4! 

We could not skip one of the essentials – the DNS CNAME record- to expand the information about Domain Name System records. So let’s dive in and explain a little bit more about it.

DNS CNAME record explained

Another way that the DNS CNAME record is also known as the canonical name record. It has a very specific role. Which is to define one domain name is just a different way to receive the primary hostname. This host name is also known as the canonical domain. Through you are able to benefit from the CNAME record. You can use it for different results and many purposes, but the appropriate way of applying it is for subdomains.

Simply directing your subdomains to your primary domain is the perfect case of using the CNAME record. 

There is one thing that you should remember for the DNS CNAME record. If you have such a record already created for one hostname, it will not give you the chance to import any other DNS records for that specific hostname. If you desire to have an action similar to this, directing one hostname to another but also adding more records, such as MX records, you can use the ALIAS record. And that will help you achieve this goal.

Structure

The DNS CNAME record is a simple text file with several elements inside it:

  • Host – The current hostname. Here it can be a subdomain or service that you want to direct to the actual host. 
  • Type – CNAME. Here is the type of DNS record that you want to apply.
  • Points to – Here, set the actual canonical name. You are capable of importing several CNAME records, which are from several subdomains to the accurate one. 
  • TTL – This is the time period that displays how long will be cached the cache data on the recursive DNS server

Example of the DNS CNAME record 

  • Host: www.example.com
  • Type: CNAME
  • Points to: example.com
  • TTL: 1 Hour.

You can use DNS CNAME for:

  • To guide usual subdomains and such ones that are for services like FTP or email to the primary host. 
  • Content Delivery Networks (CDN) can benefit from DNS CNAME records to better coordinate the traffic. A query, which is for the original server, can be guided to a CNAME record. Which is a component of the CDN, and it will provide back a result, which will fit the user best.
  • When one company owns many websites, the DNS CNAME record can be beneficial to point all of them to just a single one. 

CNAME record VS ALIAS record

The DNS CNAME record can point one name to another hostname. It is important only to be applied when there are no other records for that hostname. On the other hand, the ALIAS record also leads a name to another hostname. The difference is that the ALIAS record is able to coexist with other records on that hostname. The ALIAS record is also possible to be added for the root domain. 

Conclusion.

The DNS CNAME record is really beneficial. Just make sure you use it the right way.

Nslookup explained.

Nslookup is a very practical network administration command-line software. It is very useful, and it has a simple interface. Its name breaks to “ns” for nameserver and “lookup” for querying it. Primarily is used to find the IP address that corresponds to a host. Also, for a process called “Reverse DNS Lookup,” which is the domain name that matches an IP address. You can use it from the Terminal. Check domains, devices/IP addresses, or DNS records. It is available on the traditional computer operating systems Linux, macOS, and also Windows. 

For most Linux distros, it comes pre-installed, so you don’t have to download it by yourself. Network admins enjoy it because it also has extra options to adjust the query by picking a port, timeout period, and more. This command comes up with a clean and simple answer. 

You will receive the IP address – when you checked the domain.

Or you will receive the domain – for Reverse Lookup.

The command will tell you that and information such as if the answer comes from an authoritative or non-authoritative server. 

For what is it used?

Nslookup is appropriate in different situations. The command-line program is an essential tool when resolving DNS problems. 

  • A data query helps detect the cause of the issue.
  • Check if all involved servers are converted in the domain name system properly. 
  • When several subdomains are involved, you can check for connection problems.
  • Search for mail servers (SMTP, POP, IMAP) for the domain. Nslookup shows the servers based on the MX records that belong to the email provider’s domain. These records contain the IP addresses and names of the provider servers.

Nslookup guide

Try it Nslookup command with these examples of general use cases:

  • The A record of a domain (shows IP address)

nslookup example.com

You will see the address of the domain. 

  • The NS records of a domain (the authoritative nameserver)

nslookup -type=ns example.com

You will see which are the non-authoritative and which is the authoritative nameserver.

  • The SOA record of a domain (start of authority)

nslookup -type=soa example.com

This record will provide you the start of authority and general technical information about the zone.

  • The MX record, information about the email exchange

nslookup -query=mx example.com

View the MX records of the mail servers. 

  • See all DNS records of the domain.

nslookup -type=any example.com

You can also make a more general query, and you will see all available DNS records. 

  • Check a specific name server.

nslookup example.com ns1.nsexample.com

You can also perform a query and see data for a particular name server. You will see the domain name, IPv4, and IPv6 addresses. 

  • Reverse DNS lookup

nslookup 11.22.33.44

Make sure that an IP address is matching the domain. Do a reverse DNS lookup and verify it. 

  • Check a domain through a specific port.

nslookup -port=51 example.com

The same, but the difference is that we are doing it through port 51. You can replace the number with the port that you like. 

  • Check a domain with a specific reply timeout interval.

nslookup -timeout=20 example.com

You can change the reply timeout interval. Here is set to 20 seconds, but you can extend to more time or shorten it to less. You are giving more time to the name servers to respond if you increase it. 

  • Activate the debug mode

nslookup -debug example.com

The debug mode will provide a lot more information. Further data will be given both for the question and the answer to the query. 

Using a Dynamic DNS could be very beneficial for many people. Simply this DNS service is an automatic method for refreshing the new IP addresses. A static IP address might be very pricey. So let’s explain a little bit more about Dynamic DNS and what are the benefits of using it.

Dynamic DNS explained.

Dynamic Domain Name System is also called DDNS or Dynamic DNS.

The standard DNS links domain names to IP addresses through A or AAAA DNS records. The advantage of having Dynamic DNS is that it automatically updates and changes the host’s IP address. Even if its IP address changes, the visitors can reach it.

Dynamic DNS is a simple to use service. It lets you reach your hosted services easily when your ISP changes your IP address. For example, you can have a web hosting server, mail server, database server, or use your home network for CCTV cameras with DDNS. 

Why would the ISP change your IP address? The truth is that it is easier to administrate the network that way. The IP addresses are leased to the clients for a particular amount of time. This task is assigned to a DHCP server, which the ISP relies typically on. So when that limited time finishes, customers will receive a new IP address.

The Dynamic DNS is an easy-to-use and easy to set up solution. It is usually free and serves nearly every scenario.

How does Dynamic DNS work?

If you want to implement DDNS, you have to sign up with a Dynamic DNS provider. After that, you have to install their software on the host computer. It applies to that exact computer that is managed as the server, like a web server or a file server. 

The software watches the dynamic IP address for changes. When it detects a difference in the address, it reaches the DDNS service to update your account with the new IP address. 

The DDNS software has to be constantly running and able to identify a change in the IP address. Thus the DDNS name you have associated with your account will proceed to direct clients to the host server despite the fact that the IPs could change a severe number of times.  

If you have files that you want to be able to access no matter at what location you are, a Dynamic DNS service becomes a requirement. Also, another case would be if you want to host your website from home, you like to manage your home computer network from a distance, you like to remote into your computer when you are away, or whatever other similar reason.

A Dynamic DNS service is unnecessary for networks with static IP addresses. After the IP address is initially told the first time, the domain name doesn’t need to ask a second time. The reason is simple – static IP addresses don’t change.

Benefits from using it

Holds you online. It will decrease downtime by auto-update the IP addresses. So, the devices or services will still be available through the net.

Easy-to-use. You need to set it up once. For example, for IP cameras for monitoring. You will have to set up your router by going to settings and putting the user and the password for your Dynamic DNS service. 

More affordable than static IPs. It will be much cheaper to pay for just one DDNS service if you have several devices. To pay for every static IP address could be pricey.