Do you know the difference between a pharming attack and a DNS poisoning attack? You should if you plan to take the Security+ exam. This post should help.
The primary purpose of Domain Name System (DNS) is to resolve host names to IP addresses. This eliminates the need for you and me to have to remember the IP address for websites. Instead, we simply type the name into the browser, and it connects. For example, if you type in gcgapremium.com as the Uniform Resource Locator (URL) in your web browser, your system queries a DNS server for the IP address. DNS responds with the correct IP address and your system connects to the website using the IP address.
DNS also provides reverse lookups. In a reverse lookup, a client sends an IP address to a DNS server with a request to resolve it to a name. Some applications use this as a rudimentary security mechanism to detect spoofing. For example, an attacker may try to spoof the computer’s identity by using a different name during a session. However, the Transmission Control Protocol/Internet Protocol (TCP/IP) packets in the session include the IP address of the masquerading system and a reverse lookup shows the system’s actual name. If the names are different, it shows suspicious activity. Reverse lookups are not 100 percent reliable because reverse lookup records are optional on DNS servers. However, they are useful when they’re available.
The two DNS attacks you should know for the Security+ exam are DNS poisoning and pharming.
GNU Glibc Vulnerability
One more thing to consider is that attackers are always looking for new attack methods. The GNU glibc vulnerability is an example of a relatively new DNS attack. It allows attackers to take control of Linux-based and Unix-based unpatched systems.
DNS Poisoning Attacks
A DNS poisoning attack attempts to modify or corrupt DNS results. For example, a successful DNS poisoning attack can modify the IP address associated with google.com and replace it with the IP address to a malicious web site. Each time a user queries DNS for the IP address of google.com, the DNS server responds with the IP address of the malicious website.
There have been several successful DNS poisoning attacks over the years. Many current DNS servers use Domain Name System Security Extensions (DNSSEC) to protect the DNS records and prevent DNS poisoning attacks.
A pharming attack is another type of attack that manipulates the DNS name resolution process. It either tries to corrupt the DNS server or the DNS client. Just as a DNS poisoning attack can redirect users to different websites, a successful pharming attack redirects a user to a different website.
Pharming attacks on the client computer modify the hosts file used on Windows systems. This file is located in the C:\Windows\System32\drivers\etc\ folder. A default entry in the hosts file resolves the host name to the IP address of 127.0.0.1. If an attacker is able to modify other entries, he can cause systems to use that IP address instead of querying DNS. Many viruses have done this in the past. Here’s an example of a corrupted hosts file that modifies the entry for google.com:
Microsoft Bing uses the IP address of 220.127.116.11, so this modified hosts file will now cause all attempts to use Google to be redirected to Bing instead. Practical jokers might do this to a friend’s computer and it isn’t malicious. However, if the IP address points to a malicious server, this might cause the system to download malware.
DNS poisoning attacks attempt to corrupt DNS data. A pharming attack redirects a website’s traffic to another website and can do so by modifying the hosts file on the user’s system.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide for more information on identifying advanced attacks.