Saturday, December 05, 2009

DNS security flaws

full story

In practice the DNS service behaves very much like the /etc/hosts file on your computer, which is where the system initially looks up name resolutions before relying on the DNS system. The file is basically a list of IP addresses followed by the name you've associated with those IP addresses. For example, if you edit the file you can associate any domain name with any IP address of your choosing.

1. Open Terminal and enter the following command to edit the hosts file

sudo pico /etc/hosts

2. Go to the bottom of the file and enter the following:

3. Press control-o followed by the return key to save the file

After you have done this, open your web browser and enter "" in the address bar. If everything works as it should, you should see the homepage of Google load instead of that of Apple. The hosts file has resolved "" to the IP address for Google. To reverse the change, delete the line and re-save the file.

What you have just done is outlined one potential problem with any domain name resolution service, which is that any can improperly resolve domain names, sometimes purposefully for malicious purposes.

Imagine having a name like your bank's website resolved to a server that looks exactly like your bank, but actually is not. The name in your browser's address bar will be your bank's address, and the website may look the same, but the server in actuality is not. This is one hack that thieves have used to steal identities (called "Pharming"), and as you can see by the editing of the hosts file it's not all that hard to do. In fact, some recent malware for OS X (DNSChanger) can alter the DNS servers in your system to servers which strive to do exactly this.

No comments: