Domain Name System (DNS) is the magical ability of Internet hosts to translate the machine-readable IP address numbers like 216.109.112.135 to something meaningful to humans, like www.yahoo.com. A sophisticated hierarchical database system in the Internet is required to accomplish this task. One of the core components of that system is the DNS server, which serves as the translator. For instance, when you type the domain name http://www.yahoo.com into your favorite browser, your computer directs this request to a designated DNS server—usually provided by your Internet Service Provider (ISP)—which helps translate it to the machine-readable IP address 216.109.112.135. This enables your computer to connect your browser software to the correct web server’s website.

If you are interested in knowing the IP address(es) of your DNS server(s), you can access them using Windows 2000/XP/VISTA, by choosing Start -> Run, then typing the word “cmd” in the command window, and clicking OK.

In the command prompt window, type “ipconfig/all” and hit return. This will display a list of network connection information. For example:

From this list, you can see that the DNS server IP addresses are
217.1.32.208 and 215.251.144.126. This machine will query either one of these two DNS servers for any new domain name enquiry.

You may wonder: what if these two DNS servers return a wrong IP address for the domain name you specified? If this happens, you will be re-directed to a wrong site—even though you have typed the correct domain name in your browser.

And this is exactly what a hacker can do. If a hacker attacks a DNS server and maliciously corrupts the information in the DNS server’s database, then all the hosts that rely on this DNS server for domain name resolution could be misdirected to a wrong Internet sever.

This enables the hacker to hijack the Internet connection of the victims. For example, a hacker could re-direct an Internet banking site’s domain name to his or her own server and lure visitors to key in their private login information into this fake website. This allows the hacker to steal this information for the purpose of committing crimes such as identity theft.

Another type of attack involves using similar domain names like paypal.com and paypa1.com. Can you tell the difference between these two domain names? No, we didn’t make a typo! Actually, the first “paypal” ends with a lower-case “l” (L), and the second one ends with the numeral “1” (ONE). In this scenario, the attacker uses various tricks like scam emails to lure the visitors to click a deceptive link in order to direct visitors to their own fake site and obtain private login information as in the first example. The term “phishing” has been coined to describe this type of security breach.

Perhaps the solution to counter these problems is user education. Internet users should be made aware that these kinds of attacks are possible, and learn how to determine that the sites that they are visiting are genuine ones.

Usually, for a website to perform the authentication information exchange with a visitor, such as asking for a visitor’s login information, it will initiate a popular Internet secure communication method called SSL (Secure Socket Layer). You can determine that the website is using this secure method by looking at the address in the address bar: the “https.” part of the address will automatically change to “https.” At that moment, the web server opens an encrypted communication with the visitor by providing its server certificate to your computer. This server certificate can be viewed in your browser by clicking the “padlock” sign. It is usually at the lower right corner (Internet Explorer version 6 and Firefox) or upper right corner beside the address bar (Internet Explorer version 7) of your browser.

If the site is genuine, you can clearly see the site’s URL along with the certificate authority that issues the server certificate (two common certificate authorities are Verisign or Thawte).

Take a look at the well-known Internet banking website, Citicorp. When you pull up the Citicorp banking login screen, click on the padlock as described above to display the website’s certificate. Note that this one is issued by Verisign.

If you click on the option “View certificates” you can view more detailed information of this server certificate:

Here you can verify that the certificate is of the domain “citibank.com” and the certificate has not yet expired.

After completing validation process, you can now safely enter your login information with confidence, because the site is very unlikely a fake site. If you following these steps every time you access a secure web site, you can avoid becoming the victim of a DNS attack.

Tags: Domain Name Server, identity theft hacking