IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 5.78 DNS spoofing
To be able to communicate with another computer in the Internet, one needs to
know its IP address. This address consists of 4 sets of numbers between 0 and
255, e.g. 194.95.176.226. As such numbers are not very easy to memorise,
almost all IP addresses are assigned names. This method is termed DNS
(Domain Name System). Consequently, the WWW server of the BSI can be
addressed under http://www.bsi.bund.de as well as http://194.95.176.226,
because the name is converted into the IP address during polling.
The databases in which computer names are assigned IP addresses, and vice
versa, are located on name servers. Two databases are available for allocation
of names to IP addresses. The first database allocates IP addresses to names,
while the second database allocates names to IP addresses. These databases
need not be mutually consistent! DNS spoofing is said to occur when an
intruder becomes successful in forging an allocation between a computer
name and an IP address, i.e. assigning a name to a false address, or vice versa.
This allows the following types of intrusion:
- r-services (rsh, rlogin, rsh)
These services allow authentication on the basis of client names. The
server knows the IP address of the client and requests its name via the
DNS.
- Web spoofing
An intruder could assign the address www.bsi.bund.de to a wrong
computer, which would then be addressed each time
http://www.bsi.bund.de is entered.
The ease with which DNS spoofing can be performed depends on how the
attacked network has been configured. As no computer can hold all the DNS
information existing in the world, it always has to rely on information from
other computers. To reduce the volume of DNS requests, most name servers
temporarily store information which they have received from other name
servers.
Once someone has infiltrated a name server, they are also able to modify the
information it holds. Direct intrusion into a name server is not considered
further here. Instead, the principal shortcomings of DNS are mentioned.
The two examples below are intended to describe different techniques of DNS
spoofing.
1. A user on the computer named pc.customer.de first intends to access
www.company-x.de and then the competitor's server www.company-y.de.
To allow access to www.company-x.de, the corresponding IP address needs
to be requested from the name server ns.customer.de. This server does not
know the address either, and then requests it from the name server of
ns.company-x.de. This server returns the IP address, which is forwarded by
ns.customer.de to the user and stored. If, in addition to the IP address of
www.company-x.de, the response from ns.company-x.de also contains any
other IP address for the computer name www.company-y.de, it is also
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000