New study: DNS spoofing doubles in six years ... albeit from the point of naff all

Boffins from the University of Southern California's Information Sciences Institute have crunched six years and four months of data, and found that DNS spoofing, while uncommon, has doubled during that time.

"We show that spoofing today is rare, occurring only in about 1.7 per cent of observations," explain Lan Wei, a doctoral student, and John Heidemann, research professor of computer science, in a working paper distributed through ArXiv. "However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally."

The Domain Name System, or DNS, translates human-friendly domain names (eg, theregister.com) into computer-friendly numeric IP addresses (eg, 104.18.4.22) so that netizens can point their browsers and other software to particular services on the internet, such as this humble organ. DNS was designed back in the 1980s, and its overlord ICANN observes, "security was not a primary consideration in its design."

Consequently, without any security protections, it's easy to spoof, meaning that third-parties can intercept and respond to DNS queries with different results, for good or ill. That if you try to look up some website, something on the network path could jump in and respond with an IP address that points to another site.

In their paper, the US academics explain, "DNS spoofing can be accomplished by proxying, intercepting and modifying traffic; DNS injection, where responses are returned more quickly than the official servers; or by modifying configurations in end hosts."

The practice represents a risk to both privacy and security: users don't necessarily want third-parties knowing about their DNS queries or answering their query with a malicious resource, like an address that points to a malware-infected site. DNS spoofing can also be used for censorship.

"The surprising thing to me was spoofing was a lot more widespread than I expected," said Heidemann in a phone interview with The Register. "We saw instances of it in many different countries."

Spoofing isn't necessarily malicious. It's commonly done at coffee shops and hotels that provide internet access through a captive portal. It may be done by internet service providers to respond to DNS queries more quickly. Or it may be done to comply with censorship laws in certain countries.

Heidemann pointed out that Indonesia and Iran had the largest portion of vantage points – specifically, public DNS resolvers – exhibiting spoofing.

"To the extent you think the government should not be filtering by manipulating DNS, then evidence of spoofing is problematic," he said.

At the same time, Heidemann said internet advertising companies have been known to spoof DNS so they can sell ads in response to web typos [PDF]. "There have certainly been cases where DNS spoofing has been used maliciously," he said.

I would recommend DNSSEC as a mechanism that would address this issue because it lets you prove you got the right answer to a DNS query

The paper also says that for every ten incidents of spoofing detected, a covert delayer was identified – a third-party that delayed DNS traffic but passed it on unaltered. Heidemann said there's no clear reason why anyone would do this, but speculated it "may indicate some kind of application-layer evaluation."

Heidemann said the research paper doesn't identify specific reasons for the rise in DNS spoofing but suggested it follows from the growing importance of the internet around the globe. "In general, we've seen the internet become more pervasive in everyone's lives and so interest in controlling those results has increased over time," he said.

The paper points out that there's a protocol called DNSSEC that provides some protection against spoofing. DNSSEC isn't yet widespread in part because it has proven to be difficult to integrate with DNS-based redirection techniques used by Content Distribution Networks (CDNs). Last year, ICANN urged organizations to do more to hasten the implementation of DNSSEC.

"I would recommend DNSSEC as a mechanism that would address this issue because it lets you prove you got the right answer to a DNS query," said Heidemann. "Our paper shows there's a small but compelling reason to use it." ®