CAPEC-598: DNS Spoofing
An adversary sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record) response to a target's route request before a legitimate resolver can. This technique requires an On-path or In-path device that can monitor and respond to the target's DNS requests. This attack differs from BGP Tampering in that it directly responds to requests made by the target instead of polluting the routing the target's infrastructure uses.
Last updated
Overview
CAPEC-598 (DNS Spoofing) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- On/In Path Device
Skills required
- Low skill: To distribute email
How to mitigate it
Defenses that reduce the risk of CAPEC-598.
- Design: Avoid dependence on DNS
- Design: Include "hosts file"/IP address in the application
- Implementation: Utilize a .onion domain with Tor support
- Implementation: DNSSEC
- Implementation: DNS-hold-open
Examples
Below-Recursive DNS Poisoning: When an On/In-path device between a recursive DNS server and a user sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record ) response before a legitimate resolver can.
Above-Recursive DNS Poisoning: When an On/In-path device between an authority server (e.g., government-managed) and a recursive DNS server sends a malicious ("NXDOMAIN" ("No such domain")code, or a DNS record) response before a legitimate resolver can.