DNS MITM Attack

Question

If you're in a public space (eg. airport, coffee shop) and and mistakenly connect to a rogue access point is it possible for them to intercept your DNS queries and replace them with ones that send you to a server under their control? If it's an https site you're trying to reach I would imagine it will be a little harder to pull off but I figure they could redirect you to a misspelling of the real domain and then present a similar login page in an attempt to steal your creds.

Answer 1

is it possible for them to intercept your DNS queries and replace them with ones that send you to a server under their control?

Yes, a MITM attacker can intercept your DNS queries and change the response to point to a different server. The original DNS protocol has no built-in security and its queries and responses can be easily modified. The DNSSEC protocol is one possible approach to prevent these attacks by adding authentication to DNS traffic (but not encryption).

If it's an https site you're trying to reach I would imagine it will be a little harder to pull off [...]

If it's an HTTPS site, the attacker can't just connect you to a different server because you browser verifies the site's TLS certificate. If they try to connect you to their own server when you visit https://mybank.com/, they won't be able to complete a TLS handshake because they don't posess a CA-signed certificate for mybank.com. Consequently, your browser would warn you that the connection isn't trusted. See "How does SSL/TLS work?" for details.

they could redirect you to a misspelling of the real domain and then present a similar login page in an attempt to steal your creds.

Yes, that's possible. But this only works if the attacker captures any plain HTTP traffic where they can inject their malicious redirect. If the victims uses HTTPS right from the beginning, there is no way for the attacker to redirect you to a different domain. HSTS is a technique to prevent these redirection attacks (and downgrade attacks in general). It's a HTTP header that websites can send to force users to always visit their site via HTTPS after their first visit, thereby giving a MITM no opportunity to tamper with any plain HTTP traffic.

Answer 2

Yes this is possible.

If haven't manually specified your DNS server for the interface you're working on and receive one from DHCP, they can just send you to their own malicious DNS server and resolve your requests for you.

Even without a DNS server being specified in your interface settings, the firewall can be configured to redirect TCP / UDP 53 (DNS) to a server of the attackers choosing. HTTPS makes this exponentially harder to do without convincing the victim to either ignore SSL warnings or install a root CA on the victims box.

Answer 3

You can easily perform the MITM attack. Whenever you want to visit a webiste like Google.com, your web browser would initiate a DNS packet to the DNS server in order to resolve the Google.com domain name into an IP address for IP Routing. But suppose you are a mallicious attacker and use packet sniffing tools, then you can easily capture the DNS request or reply packet and then easily manipulate the stuff in the packet.

It does not matter wether you try to vist HTTP or HTTPS website because any website ( let it be HTTP or HTTPS ) first needs a DNS resolution.

Only way to mitigate such attack is to hardwrite the IP address of the website in your host file (which is a tedious job) or you can use a VPN wherein you can tunnel even the DNS traffic to the VPN server and be sure that no attacker can tamper your data while you are on public network.

Answer 4

Yes, this is possible! When you attach with MITM, all connections of the victim's device are routed to yours. Because of that you can easily fake a hosts file. I usually use dnsspoof. This is a preinstalled tool of Kali Linux.