A DNS spoofing attack is quite as easy to perform as a DHCP poisoning attack. Any traffic from the victim is forwarded through the attacker’s fake DNS service and redirected so that all requests for the Internet or internal sites land at the attacker’s site, from which the hacker can obtain credentials or possibly launch browser-based attacks, such as a Java runtime error, to trick the victim.
This can also be done using the local “hosts” file on the computer. The fundamentals of this attack come from “name resolution order” and manipulating that process. DNS is created so that every DNS query first proceeds to a DNS server, usually a local one on the network or given by the ISP.
That server will have been pre-configured with the IP addresses of the top-level (root) DNS servers on the Internet that are the official “source of truth” for all IP addresses and hostnames. The root server that replies would reply with the address of a lower level DNS server. This process remains until the name and IP address is obtained, usually at least three levels down.
But this rarely happens in practice today. The Internet is millions of times larger than was thought when DNS was created, and the root DNS servers would be confused by all the DNS requests that occur in fact. As a result of this, lower level DNS servers “cache” data—saving it locally for quicker response. This storage is kept for the length of time defined by the Time-To-Live (TTL) setting on each DNS server. It is these caches that can be poisoned (injected) with false data that sends requestors to the hacker’s IP address. A complete mastery of DNS is needed to defend against these attacks because they target a traditional open port, TCP/UDP 53, that is very necessary for today’s networks
