Windows DNS Poisoning by Unprivileged Users

TL;DR

An unprivileged user can poison the Windows DNS cache on their own machine, but it won’t affect other computers. They can redirect their own DNS lookups to malicious servers, potentially leading to phishing or malware downloads. This is usually done through modifying the hosts file or manipulating DNS client settings.

How an Unprivileged User Can Poison Their Own DNS

1. Understanding the Scope: It’s crucial to understand that unprivileged users can only modify their own DNS resolution. They cannot alter system-wide DNS settings without administrator rights. This means other computers on the network are unaffected.
2. Modifying the Hosts File: The simplest method is editing the hosts file.
   • The hosts file maps hostnames to IP addresses, bypassing DNS servers.
   • Location: C:WindowsSystem32driversetchosts
   • Open Notepad as an administrator (required for saving changes). Edit the file and add entries like this:

     127.0.0.1   example.com

     This redirects all requests for example.com to your local machine. Replace with a malicious IP address if desired.

   • Caution: Incorrectly editing the hosts file can prevent access to legitimate websites. Back up the original file before making changes!
3. Manipulating DNS Client Settings (using netsh): While more complex, users can alter their DNS client settings.
   • Open Command Prompt as a normal user.
   • View current DNS server settings:

     netsh interface ip show dns

   • Add a malicious DNS server (requires administrator privileges to persist, but can be temporarily set):

     netsh interface ip add dns name="Ethernet" address=8.8.8.8 index=1

     Replace “Ethernet” with the correct network interface name and 8.8.8.8 with a malicious DNS server IP. This will likely be reverted on reboot or by DHCP.

   • Caution: Using untrusted DNS servers can expose you to malware and phishing attacks.
4. Using Third-Party Software: Some software allows users to manage their DNS settings more easily, potentially including the ability to specify custom DNS servers.
   • Be cautious when installing such software; ensure it’s from a trusted source.

Detecting and Preventing Self-Poisoning

1. Regularly Check the Hosts File: Scan the hosts file for unexpected entries.
   • Use tools like Notepad++ or PowerShell to compare it against a known good backup.
2. Monitor DNS Client Settings: Periodically check the configured DNS servers using netsh interface ip show dns.
3. Antivirus/Anti-Malware Software: Many security solutions can detect and remove malicious entries from the hosts file or alert you to suspicious DNS settings.
4. Group Policy (for managed environments): Implement Group Policy restrictions to prevent users from modifying the hosts file or DNS client settings.
   • This requires administrator access to configure.

Impact of Self-Poisoning

The impact is limited to the user’s machine. They might be redirected to phishing sites, download malware from malicious servers, or simply be unable to access legitimate websites.