DNS Attacks

Posted on by Darril.

Do you know the difference between a pharming attack and a DNS poisoning attack? You should if you plan to take the Security+ exam.  This post should help.

DNS Services

The primary purpose of Domain Name System (DNS) is to resolve host names to IP addresses. This eliminates the need for you and me to have to remember the IP address for websites. Instead, we simply type the name into the browser, and it connects. For example, if you type in gcgapremium.com as the Uniform Resource Locator (URL) in your web browser, your system queries a DNS server for the IP address. DNS responds with the correct IP address and your system connects to the website using the IP address.

DNS Attacks

DNS also provides reverse lookups. In a reverse lookup, a client sends an IP address to a DNS server with a request to resolve it to a name. Some applications use this as a rudimentary security mechanism to detect spoofing. For example, an attacker may try to spoof the computer’s identity by using a different name during a session. However, the Transmission Control Protocol/Internet Protocol (TCP/IP) packets in the session include the IP address of the masquerading system and a reverse lookup shows the system’s actual name. If the names are different, it shows suspicious activity. Reverse lookups are not 100 percent reliable because reverse lookup records are optional on DNS servers. However, they are useful when they’re available.

CompTIA Security+ Study Guide

The 601 Version of the Study Guide

The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide is an update to the top-selling SY0-201, SY0-301, SY0-401, and SY0-501 study guides, which have helped thousands of readers pass the exam the first time they took it.  It includes the same elements readers raved about in the previous four versions.

Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.

You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.

Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:

  • A 75 question pre-test
  • A 75 question post-test
  • Practice test questions at the end of every chapter.
 

Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.

If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.

Kindle edition also available.

The two DNS attacks you should know for  the Security+ exam are DNS poisoning and pharming.

GNU Glibc Vulnerability

One more thing to consider is that attackers are always looking for new attack methods. The GNU glibc vulnerability is an example of a relatively new DNS attack. It allows attackers to take control of Linux-based and Unix-based unpatched systems.

DNS Poisoning Attacks

A DNS poisoning attack attempts to modify or corrupt DNS results. For example, a successful DNS poisoning attack can modify the IP address associated with google.com and replace it with the IP address to a malicious web site. Each time a user queries DNS for the IP address of google.com, the DNS server responds with the IP address of the malicious website.

There have been several successful DNS poisoning attacks over the years. Many current DNS servers use Domain Name System Security Extensions (DNSSEC) to protect the DNS records and prevent DNS poisoning attacks.

Pharming Attacks

A pharming attack is another type of attack that manipulates the DNS name resolution process. It either tries to corrupt the DNS server or the DNS client. Just as a DNS poisoning attack can redirect users to different websites, a successful pharming attack redirects a user to a different website.

Pharming attacks on the client computer modify the hosts file used on Windows systems. This file is located in the C:\Windows\System32\drivers\etc\ folder. A default entry in the hosts file resolves the host name to the IP address of 127.0.0.1. If an attacker is able to modify other entries, he can cause systems to use that IP address instead of querying DNS. Many viruses have done this in the past. Here’s an example of a corrupted hosts file that modifies the entry for google.com:

127.0.0.1               localhost

204.79.197.200     google.com

Microsoft Bing uses the IP address of 204.79.197.200, so this modified hosts file will now cause all attempts to use Google to be redirected to Bing instead. Practical jokers might do this to a friend’s computer and it isn’t malicious. However, if the IP address points to a malicious server, this might cause the system to download malware.

Remember this

DNS poisoning attacks attempt to corrupt DNS data. A pharming attack redirects a website’s traffic to another website and can do so by modifying the hosts file on the user’s system.

Security+ (SY0-601) Practice Test Questions

SY0-601 Practice Test Questions 

Over 385 realistic Security+ practice test questions

At least 10 performance-based questions

All questions include explanations so you’ll know why the correct answers are correct,

and why the incorrect answers are incorrect.

Upgrade Your Resume with the Security+ New Version

Multiple quiz formats to let you use these questions based on the way you learn.
  • Learn mode – randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
  • Test mode – randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode – 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions.

Pass the First Time You Take It

Get the full bank of SY0-601 Practice Test Questions Here

Click here if you’re looking for SY0-501 Online Study Package

See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide for more information on identifying advanced attacks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!