15

The question is in the title. I have been reading about DNS spoofing. What if I were to save the IP addresses of websites I consider sensitive and then just enter the IP address when I am using a suspicious connection to prevent myself from DNS spoofing attack? Will it work? Why or why not?

AviD
  • 72,138
  • 22
  • 136
  • 218
Lmk
  • 151
  • 1
  • 3
  • 1
    How do you know the correct IP if you haven't resolved a domain name? – NULLZ Jul 17 '13 at 01:01
  • @D3C4FF: I would guess the OP does that by getting the IP's first at home, then abroad, using the IP's – Marcel Jul 17 '13 at 10:34
  • You could ofcourse check the resolved address against your saved address. If they are different, the server has either been moved or you are under attack, in which case you could opt to bail out. However, if they are the same, you know nothing yet as there could be more DNS's in play (round robin?) – Nanne Jul 17 '13 at 16:00

5 Answers5

20

This won't work for many websites. Many websites use virtual hosts where they host websites for multiple domains from a single webserver. In this case, the only way they know what site you're coming from is by the hostname your browser sends in the Host header of the HTTP request.

The way to do this would be to specifically add these entries into your /etc/hosts (or on Windows, \Windows\System32\drivers\etc\hosts) file and continue to type the domain out as usual.

Unfortunately, even this can be impractical. Not only can you disable features like DNS-based load balancing and location-based DNS results (should you travel), but you could also open yourself up to attack should a site change IP addresses. It wouldn't be unreasonable for an attacker to consider trying to acquire the IP addresses large sites may have relinquished.

TL;DR this

  • is inconvenient as hell,
  • can disable useful DNS-based features
  • doesn't really add much practical security, and
  • introduces as many new attack vectors as it closes
Stephen Touset
  • 5,736
  • 1
  • 23
  • 38
  • 4
    A good example of this, go ping `security.stackexcange.com` and you will likely get the ip `198.252.206.16`, but if you [visit that IP](http://198.252.206.16/), you do not get this website. – Scott Chamberlain Jul 18 '13 at 05:03
  • I should add that using header modification extensions, the `Host` header can be set to the destination address when visiting the IP in the browser. – David Refoua Oct 29 '16 at 00:08
4

Suppose foo.com has the IP address 11.11.11.11.

With DNS spoofing, you worry that foo.com will not correctly resolve to 11.11.11.11, because an attacker has fooled you into thinking its IP address is 22.22.22.22. In this case, your problem is that the domain record you have doesn't point to the IP address you really want.

Now, imagine you always enter 11.11.11.11 to avoid the possibility of being DNS spoofed. Now suppose foo.com just moved from 11.11.11.11 to 33.33.33.33. You suddenly have the opposite problem: the IP address you have doesn't correspond to the domain you want. (In this case, you could be attacked by someone who had the ability to re-assign the IP 11.11.11.11 to a specific host.) This is a management problem that you can solve by using DNS. If a host changes IP addresses, how can you discover where it has moved unless you check its DNS record?

One other (minor) problem is that Web servers expect to get a Host header that specifies what hostname you are trying to reach. A Web server might host multiple domains on a single IP address (e.g., 11.11.11.11 might answer to both foo.com and bar.com, and it needs to know which one you really want). If you type 11.11.11.11 into you address bar, your browser will say you want the Host: 11.11.11.11 instead of Host: foo.com. This could be overcome by manually specifying HTTP fields (or getting/making a browser extension that does it for you).

apsillers
  • 5,780
  • 27
  • 33
0

Echo to everything being said.

I think you're approaching this problem backwards. Why try to override sites one by one in the event a DNS record is being spoofed? Find a trusted, secure openDNS provider and setup your machine to resolve DNS to that server always, instead of any server the network you're connected to wants to give you. To add another layer of tinfoil you could setup your own DNS server on EC2 or similar and always resolve to that.

Matt Surabian
  • 539
  • 3
  • 5
0

If you somehow know the host IP address and don't want to rely on DNS just add it to your HOST file. If you happen to have many machines to maintain these DNS settings on, you'll need a way to keep all these files updated. An XCopy often works well for this, short of re-inventing DNS...

If your hosts aren't connected constantly over a VPN, an alternate approach to maintaining several HOST files is to set up your own private DNS server with DNSSec enabled for all the zones. If you follow this approach you should disable recursive name resolution off so you don't inadvertantly poison your cache or save "hacked" DNS entries from someone who gave you wrong information.

I would advise against all these solutions since its possible and common for a website to be hacked (SQL injection, etc) and some webmasters use DNS updates a means for dealing with the issue, and your PC will not get the updates.

Then again, you might find a common middle ground by conditionally forwarding your recursive queries for domains you don't "care" about.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
0

Another problem is, that most modern websites requests resources from other hosts (JS libraries from a CND or even from a server controlled by the website owner) and the URI contains the DNS name in the most cases. You would have to know the IP addresses and proper HOST header of all the resources the desired website needs and stop your browser to resolve the links automatically.

Noir
  • 2,523
  • 13
  • 23