I have been wondering about this for a while, are MITM attacks usually carried out by poisoning a DNS cache so we are directed to the wrong IP address or would it be more likely the attacker is spoofing the IP address of the real server? The reason I ask, I was wondering if we use actual IP addresses in our bookmarks instead of URLs would that reduce the likely hood of MITM attacks occurring ?
I would say that it could most definitely help sometimes, but also can cause issues. Many larger sites have more than one IP and they can change, which would leave your IP bookmark useless if that happens. For many larger sites the dns resolution also changes when the IP does, which is why the "word url's" still function and you don't even know anything is different. Your post was kind of general so I don't know exactly what type of MITM's you are concerned about. For my privacy connections, such as here at Wilder's, I protect myself by cert fingerprinting. Wilder's has posted/listed their cert fingerprint so you know EXACTLY what it is. You can set your browser to examine the fingerprint when you open Wilder's. If the fingerprint doesn't match exactly an alarm comes up and you are not caught off guard. No MITM can match their fingerprint, can't be done. I use this method strictly for sites where my privacy and participation is important to me. Very simple to setup.
I think using OpenDNS and clearing your cache with CCleaner/Bleachbit regularly is a more practical solution here. Clearing your cache takes literally three seconds
My TOR browser always clears out that stuff. I simply want to know I am actually here at Wilder's (example). My script auto verifies the sha1 fingerprint for an exact match OR I don't come in. It doesn't get any easier and its "blink of an eye" automatic!
Actually, using OpenDNS, and DISABLING local caching is a better idea. Asynchronous DNS should be disabled in Chrome, and DNS-Client disabled in Windows. DNS-Client caches can, and have been used to snoop/track, and in some cases, used to do even more intrusive things.
Would you do this by turning off the DNS Client Service? In Windows 7 I see a couple of dependencies, but it's not clear if there would be any negative impact. Perhaps the hosts file should be locked as well.
I've never had DNS Client service running on any of the machines in my home, it's one of the first services I kill. We've never experienced any issues with it. I disabled it a few years ago when I found malware poisoning the cache in Windows, then later it was reinforced when ISP's, and companies like Steam were sniffing the cache, and using it to ban accounts. Caching has becoming redundant, with browsers, OS and hardware all doing DNS cache work. I personally leave it to the hardware (Router), no need for the round robin, and caching on potentially exploitable OS's and software IMO. Why stack DNS resolution? Hardware->OperatingSystem->Browser? Not necessary. Asynchronous DNS in Chrome slows down browsing in some cases, and in other cases causes page instability. I find it best to disable it. Chrome DNS client talks with multiple DNS servers (the local DNS, the router DNS, the router DNS in IPv6).Chrome opens up to 8 processor threads to resolve DNS, acting as a DNS client of sorts, and overriding your native DNS, and while this 'usually' is done fairly quickly, it can result in significant slowdowns, especially on websites with a lot of links and such. I leave the DNS up to my hardware, and find performance to be better. I leave DNS up to my router/UTM's, but I have an inbuilt fear of cache poisoning and spying on caches. Plenty of examples exist about why you shouldn't cache DNS. https://www.reddit.com/r/GlobalOffe...ac_now_reads_all_the_domains_you_have_visited http://tools.cisco.com/security/center/viewAlert.x?alertId=16178 Could allow an unauthenticated, remote attacker to cause the storage of false IP addresses for valid domain names within the local DNS cache. How Malware can poison the cache; http://null-byte.wonderhowto.com/ho...n-redirect-traffic-your-fake-website-0151620/
Generally, spoofing IP address in TCP connection is not trivial, so if you only use IP it will reduce risks (but with drawbacks already mentioned by Palancar). Also in https connection, you know, attacker also have to get cert (by theft or other means), or either there spoofed website can't show lock icon or browser warns user (though still they will trick many people...) So restricting cert either by EMET pinning or browser's HSTS increse security. However, some malware act as "Man In The Browser" malware, and it is regarded as a part of MITM attack. Such malware may modify your browser's url bar while redirecting traffic, but more likely they intervene traffic btwn legitimate website such as Amazon and you, steal credentials or make a little part of paid money going to criminals bank account.
@RockLobster: For DNS security, I recommend reading paper "Towards Forensic Analysis of Attacks with DNSSEC" (2014), available at Security and Privacy Workshops 2014.
