Professor Vahab COMP 424 13 November 2016 DNS Spoofing DNS spoofing, also known as DNS Cache Poisoning, is one of the most widely used man-in-the-middle attacks that capitalizes on vulnerabilities in the domain name system that returns a false IP address and routes the user to a malicious domain. Whenever a machine contacts a domain name such as www.bankofamerica.com, it must first contact its DNS server which responds with multiple IP addresses where your machine can reach the website. Your computer is then able to connect directly to one of the IP addresses and the DNS is able to convert the IP addresses into a human-readable domain name. If an attacker is able to gain control of a DNS server and change some of its properties such as routing Bank of America’s website to an attacker’s IP address. At that location, the attacker is then able to unsuspectingly steal the user’s credentials and account information. Attackers use spam and other forms of attack to deliver malware that changes DNS settings and installs a rogue Certificate Authority. The DNS changes point to the hacker's secret DNS name server so that when the users access the web they are directed to proxy servers instead of authorized sites. They can also start to blacklist domains and frustrate the user with their day to day activities. All blacklisted domains would have their traffic dropped instead of forwarded to their intended destination. Based on the rogue Certificate Authority the system has no sign that an attack is taking place or ever took place. All the user sees is the real website with the indications of a secure connection, but it doesn’t see the proxy that is sitting next to the connection. This allows the proxy to take total control of the user’s accounts and carry out malicious activities. Citations Hoffman, Chris. "What Is DNS Cache Poisoning?" HowTo Geek RSS. N.p., 9 Jan. 2015. Web. 13 Nov. 2016. Sanders, Chris. "Understanding Man-In-The-Middle Attacks – Part2: DNS Spoofing." WindowSecurity.com. N.p., 07 Apr. 2010. Web. 13 Nov. .