Spoofing means replacing the original information with the fake information. DNS Spoofing: Normally if the users requestanything, first I will go to the DNS server then the user get response back.
DNS Spoofing is one type of the man-in-the-middle attack; it forces the victim to go to the fake website.
In DNS Spoofing if the users request anything it will go the DNS server, the DNS server search in DNS cache memory the corresponding address is there or not. In the middle, attacker is observing and the attacker gives the response instead of DNS server .Then the user visit the fake website.
From the above diagram , the user send a request to the DNS server ,instead of DNS server the attacker gives the response to the user ,so that the user go to the fake website.
Snooping means gain the unauthorized access.
If u send any request to the DNS server, the DNS snooping checks whether the corresponding resource record is available or not and it conclude DNS server owner’s or users are recently visited a specific site or not.
It may reveal the information about the DNS server owner and also which websites the victim visit like bank, service provider and vendor they use.
DNS snooping also used for gathering the statistical information .For example the user logged into a bank website for net banking, then by using DNS snooping the attacker got to know that at what time the user logged into the website and when the logged out and the TTL information also.
In DNS snooping two types of queries are there.
- Using non-recursive queries.
- Using recursive queries.
1. Using non-recursive queries:
This is the simplest option, one with the recursion desired bit in the query header set to zero ,for the name that the snooper is interested in. If the answers are in cache, then the server will provide them.
2. Using recursive queries:
This is very similar to the above – except that the snooper has to deduce that the recursive server responded from cache by looking at both the time it took for the server to respond to and at the TTL of the answers given.
To prevent this DNS snooping two guide lines are there.
- Make sure recursion is restricted to your own ip address range or disable completely.
- Configure Simple DNS plus not to answer the lame DNS request from the cache.
Difference between spoofing and snooping:
- In spoofing the attacker change the original information to fake one. But in snooping the attacker gain the unauthorized access.
- In spoofing the attacker observe and then exchange the information, but in snooping first gain the unauthorized access and then gain the information.