Chapter 46 Β· Flashcards

DNS Attacks Flashcards

Click any card to reveal its definition.

0 / 10 flipped
DNS Poisoning
Tap to reveal
An attack that corrupts DNS data to redirect users to malicious destinations instead of legitimate servers. Three attack vectors: (1) modify the DNS server directly β€” requires server access; affects all querying users; (2) modify the client host file β€” local only; host file takes precedence over DNS; (3) send a fake DNS response via an on-path attack β€” real-time interception; requires network positioning. All three result in the user's browser connecting to an attacker-controlled IP while believing they're visiting a trusted domain.
Host File
Tap to reveal
A local text file on every operating system that maps domain names to IP addresses. The host file takes precedence over DNS queries β€” if a domain entry exists in the host file, the system uses it immediately without ever contacting the DNS server. Attack implication: malware that rewrites the host file can redirect specific domains (e.g., banking sites) to attacker IPs, affecting only that device. Requires elevated privileges to modify. Location: C:\Windows\System32\drivers\etc\hosts (Windows) or /etc/hosts (Linux/Mac).
On-Path DNS Attack
Tap to reveal
A DNS poisoning technique where the attacker positions themselves between client and DNS server to intercept queries in real time and inject forged responses. Because DNS uses UDP (no session authentication), the client accepts the first answer it receives. The attacker responds with a malicious IP before the legitimate DNS server's answer arrives. No DNS server compromise or endpoint access is required β€” only network positioning. Classified as an on-path (MITM) attack. Directly mitigated by DNSSEC, which cryptographically validates DNS responses.
DNS Server Modification
Tap to reveal
A DNS poisoning method where the attacker compromises the DNS server directly and changes its records β€” for example, modifying the A record for a domain from the legitimate IP (.164) to the attacker's IP (100.100.100.100). All users who query that server after the modification receive the attacker's IP. Requires significant access β€” admin credentials or exploiting a server vulnerability. DNS servers are well-protected, making this less common but highly impactful when successful (affects everyone using that server, not just one device).
Domain Hijacking
Tap to reveal
An attack where the attacker gains control of a domain's registrar account and modifies DNS records to redirect all traffic to attacker-controlled servers. Does not require compromising the victim's web servers or network β€” controlling the registrar account is sufficient. Entry methods: brute force the registrar login, social engineer registrar support, compromise the email account linked to the domain (enabling password reset). Once domains are redirected, the attacker can impersonate the entire service. Defense: MFA on the registrar account and associated email.
Brazil Bank Attack (October 22, 2016)
Tap to reveal
The definitive domain hijacking case study. Attackers modified domain registrations for 36 domains belonging to a Brazilian bank, redirecting all traffic β€” desktop sites, mobile apps, all digital banking β€” to attacker infrastructure for six hours. No bank server was compromised. The bank had over 5 million customers and ~$27 billion in assets; all customer credentials submitted during those six hours were captured. Entry method: registrar account compromise. The lesson: controlling the domain name equals controlling the service, regardless of how hardened the backend servers are.
URL Hijacking
Tap to reveal
Registering deceptive domain names to intercept misdirected traffic β€” no DNS server compromise required. Exploits user errors or assumptions about domain names. Motivations: advertising revenue (most common), domain resale to the real owner, redirecting to competitors, phishing (fake login page to harvest credentials), and malware delivery via drive-by downloads. Unlike DNS poisoning, the attacker owns a real domain β€” there is no technical attack on the DNS infrastructure. Also called typosquatting or brandjacking.
Typosquatting / Brandjacking
Tap to reveal
A URL hijacking technique that registers domain names resembling a legitimate domain to capture traffic from users who mistype or misremember the address. Four variation types: (1) misspelling — professormesser.com → professormessor.com (e→o); (2) missing character — professormeser.com (dropped 's'); (3) added character — professormessers.com (extra 's'); (4) different TLD — professormesser.org instead of .com. "Brandjacking" emphasizes exploitation of brand recognition. Users may not notice the difference and interact with the fake site as if it were legitimate.
DNSSEC
Tap to reveal
DNS Security Extensions β€” adds cryptographic signatures to DNS records to validate the authenticity of DNS responses. When DNSSEC is enabled, DNS records are signed with the zone's private key; resolvers verify the signature before accepting the response. Directly prevents on-path forged DNS responses. Does NOT protect against: host file modification (bypasses DNS entirely), direct DNS server compromise (attacker controls the signing key), domain hijacking at the registrar level, or typosquatting. DNSSEC is a targeted control β€” one layer of the DNS defense stack, not a complete solution.
Registrar Account Security
Tap to reveal
The primary defense against domain hijacking. MFA on the domain registrar account means a stolen password alone cannot be used to change DNS records β€” the attacker also needs the second factor. The email account linked to the domain registration requires equal protection, since registrars allow password resets via email; an attacker who controls that inbox can reset the registrar password. Both the registrar account and its associated email must have MFA enabled for effective domain hijacking defense. Monitoring for unauthorized DNS changes provides detection capability as a secondary control.