Number of Rogue DNS Servers Increasing

Researchers from Google and the Georgia Institute of Technology have published a paper indicating the increasing number of attacks from the use of rogue DNS servers (the paper estimates that there are currently about 68,000 of these servers). For those that are unfamiliar with DNS, it is an important element to the workings of the Internet(s).  DNS servers, short for Domain Name System servers, are used to look up the IP addresses of servers that correspond to the desired domain addresses (i.e. www.google.com).  Although the actual details are a bit more complicated, essentially, when a user types in a domain into his/her browser (and as long as the domain’s IP address wasn’t already cached), the user’s machine sends a request to the DNS for the domain’s IP address so that it can then send requests to this IP address which would then usually send back the contents of the webpage.  So it’s essentially a huge table of domain names and their corresponding server IP addresses.  The addresses of the DNS servers are pre-configured onto the users’ computers.  So if a malicious hacker can gain access to this, they can change it to point to their own fake DNS server.   A rogue DNS server, can then give out incorrect IP addresses that point to the hacker’s own malicious websites.  The hackers can then use spoofed web pages (phishing) to try to steal personal information like usernames and passwords.  An interesting note is that the rogue DNS servers sometimes work correctly and only send fake IP addresses sometimes, making it harder for users to determine if they are affected.  The users can detect if their DNS server paths have been overwritten by running a virus scan, and unless the infrastructure of the Internet is changed, it seems like this the only defense people have against this attack.  Original article can be found here.