Domains and IP addresses
Today, search engines dominate the World Wide Web. For example, to visit the website of Increase Your Skills GmbH, very few users directly enter the domain increaseyourskills.com into the URL bar of their web browser. Instead, most will type something like “increase your skills courses” or “increase your skills data protection” to have a search engine list a few search hits, and then click on the first relevant hit to finally get to the desired website. This is convenient and, for many, the habitual way of using services on the World Wide Web. But if we already know the domain of a service, then the diversions via a search engine is basically superfluous: we can then go directly to the domain of the desired service. This helps to save data for the search engines, and it also prevents us from accidentally selecting the wrong search hit.
Domains such as increaseyourskills.com or elearning.increaseyourskills.com or shop.increaseyourskills.com take over the task on the internet and in the World Wide Web that is performed by postal addresses: they serve as addresses for the respective area belonging to a certain person or institution. To find our way around the World Wide Web, this is basically all we need to know about domains and addressing on the internet. But as is so often the case in information technology, this is only half the truth. Technically speaking, it is not people who exchange data over the internet, but computers. But computers do not address each other via domains like increaseyourskills.com, rather via so-called internet protocol addresses, or IP addresses for short, such as 81.169.145.162 or 195.201.99.19 or 23.227.38.74. Ultimately, the domains are nothing more than friendlier pseudonyms for these IP addresses since words and word sequences are easier for us humans to remember than number sequences.
The Domain Name System
Every valid domain is assigned such an IP address. For example, before a laptop or smartphone can contact the domain increaseyourskills.com, this domain must be translated into the corresponding IP address. However, no computer has stored a list of all domains and their corresponding IP addresses. So how does our laptop or smartphone find out which IP address is behind the domain increaseyourskills.com? This is where the so-called Domain Name System (or DNS for short) comes into play. The Domain Name System is the network service where every computer can request the IP address that is assigned to a valid domain.
For a domain that a computer visits frequently or has visited recently, it already knows the IP address. If this is not the case, it requests the IP address from the next DNS server. In the case of a fixed internet connection, this is usually the local network router, which regulates the data traffic between the computers registered in the local WLAN or LAN and the internet. If the local network router does not know the IP address for a certain domain either, it asks for this information again from the nearest DNS server. Normally, this is a DNS server operated by the internet provider responsible for the local internet connection. Most internet providers have several DNS servers in operation for this purpose. If the DNS servers of the internet provider do not know the IP address for a particular domain either, they contact the nearest DNS server again. There is a strict hierarchy of such DNS servers on the internet. For each domain, it is precisely determined which DNS server has the last word, so to speak, for this domain. Among other things, this prevents the DNS servers on the internet from endlessly asking each other for the corresponding IP address for a freely invented domain.
DNS Spoofing
A DNS server’s main task is to answer queries from computers that want to know the associated IP address for a particular domain. If we can get a DNS server to answer such a query not with the actual IP address but with another IP address given by us, we are engaging in DNS spoofing. In this way, the data exchange between a user’s terminal and a server on the internet can be redirected to another server.
An easy target for DNS spoofing is the local network router in the home network or company network because, in most cases, this is the first DNS server that the computers in the local network contact. Suppose we have administrative access to the network router. In that case, it is easy to make additional DNS entries in it and to redirect the data traffic for certain domains specifically to other servers. If no additional security measures were in place, this would make it easy, for example, to trick users in the local network into believing that they are visiting a certain website, when in fact, they are visiting a manipulated copy of that website.
Manipulating the DNS servers of an internet provider or in the deeper internet infrastructure similarly, on the other hand, requires advanced expertise in computer networks and network protocols. There are a number of known attack scenarios on the DNS. Many of these are only historically relevant because DNS is continuously being developed and hardened against such attacks. For example, with DNSSEC, there is a series of extensions for the Domain Name System that make it possible to authenticate the responses of a DNS server cryptographically. Unfortunately, DNSSEC is not yet in widespread use.
Detecting DNS Spoofing
For network administrators and other users with an affinity for technology, there is software that can be used to carry out an appropriate DNS audit. Every common Linux distribution contains the freely available toolbox DNSDiag, which can be used to analyse DNS responses, for example, to determine whether a DNS query is the subject of a man-in-the-middle attack. In normal, everyday use of the internet and the World Wide Web, it is currently very difficult to determine whether a false IP address is being foisted on us by DNS spoofing. The fact that our end device trusts the answers of the DNS server blindly, so to speak, is in the nature of things without cryptographic authentication of the DNS answers.
Fortunately, data transfer on the internet today is, in most cases, secured by a cryptographic protocol called TLS. On the World Wide Web, we recognise the use of TLS by the fact that the address in the URL bar does not begin with http://, but with https://. Modern web browsers also display a small lock in front of the address to indicate that the connection is secured by TLS. If the connection to the server is secured by TLS, DNS spoofing can still cause requests to be redirected to a wrong server, but thanks to TLS, our end device recognises that it is not the right server and breaks off the communication.
So when surfing daily, look for the small lock in the URL bar, and make sure that https:// preceeeds any web addresses. Then the TLS protocol will also protect you from the consequences of a DNS spoofing attack.
