What is DNS Poisoning?
Imagine you have a secure communication channel from your computer to internet, encrypting your data traffic, and you feel safe, but in fact, you are not. Your DNS query is still routed to the local, possibly malicious DNS who may collect your query data and know which websites you are visiting… This is the DNS leak, you are leaking your domain name query to your local ISP and live at their mercy how they use the information against you. This is a substantial risk for VPN, Shadowsocks users in countries like China, Iran etc.
DNS leak is different from the DNS poisoning we discussed earlier, despite that giving you an invalid IP address (poisoning) is the slightest consequence you can have, if can become much worse. When you leak your query to your local ISP, they may track you down and result in an arrest!
How to Evade DNS Poisoning?
Pointing your DNS to a remote server turns out to be not good enough, more ISP are rolling out the “transparent dns proxy” technology these days. That means, they intercept your DNS query forcefully, and send the query to a remote server. In this scenario your ISP is standing in the middle, act as a middleman to proxy your query to and from. They still have the full information about your DNS queries.
How to Fix Transparent DNS Proxy?
If you use a VPN, you need to go through quite a few steps to ensure you have no DNS leak issue. You can refer to this tutorial.
Things are simpler with Shadowsocks.
If you use Shadowsocks proxy, make sure to use with Google Chrome browser, it will automatically use the remote DNS (the server that runs Shadowsocks), so you’ll be fine.
If you like Mozilla Firefox, you need one extra step to set Firefox to use remote proxy.
The current DNS infrastructure is open and scalable, but not secure. It has no prevention from attacks like DNS poisoning and others. DNS Security Extensions, dubbed as DNSSEC, attempts to resolve the problems on 3 levels:
1. Authentication on peers and its DNS data (it is the authenticate DNS server, the returned information is correct and complete)
2. DNS data integrity (the returned data is authentic, not forged)
3. Authenticated denial of existence (allows a resolver to validate that a certain domain name does not exist)
In theory, when DNSSEC is adopted across the internet, it will mitigate the DNS poisoning attacks, because the forged result will be labeled modified and untrue. However, DNSSEC is backward compatible, you can imagine that malicious ISP won’t be motivated to deploy the new technology any time soon. It also remains to be seen how malicious ISP will exploit the DNSSEC vulnerability, if any, to keep their control of the internet.