An attacker is running his own domain (attacker.net) with his own hacked DNS Server (ns.attacker.net) Note that It is said hacked DNS Server because the attacker customized the records in his own DNS server, for instance one record could be www.cnn.com=81.81.81.81
1) The attacker sends a request to user’s DNS Server asking it to resolve www.attacker.net
2) User’s DNS Server is not aware of this machine IP address, it doesn't belongs to his domain, so it needs to asks to the responsible name server.
3) The hacked DNS Server is replying to user’s DNS server, and at the same time, giving all his records (including his record concerning www.cnn.com)
Note : this process is called a zone transfer.
4) The DNS server is not "poisoned".
The attacker got his IP, but who cares, his goal was not to get the IP address of his
web server but to force a zone transfer and make your DNS server poisoned as long as the cache will not be cleared or updated.
5) Now if user ask his DNS server, about www.cnn.com IP address it will give him
172.50.50.50, where the attacker run his own web server. Or even simple, the attacker could just run a bouncer forwarding all packets to the real web site and vice versa,so you would see the real web site, but all the user’s traffic would be passing through the attacker's web site.
This is one of the ways cache poisoning works
No comments:
Post a Comment