DNS spoofing with “dnsspoof” on Linux

Dnsspoof is a member of the Dsniff suit toolset and  works similarly to arpspoof . It lets you forge DNS responses for a DNS server on the local network . DNS runs on User Datagram Protocol (UDP), a connectionless protocol, a DNS client will send out a query and expect a response . The query is assigned a pseudo random identification number  which should be present in the answer from the DNS server. Then when the answer from the DNS server will be received , it will just have to compare both numbers if they’re the same, the answer is taken as valid, otherwise it will be simply ignored . The DNS protocol relies on UDP for requests (TCP is used only for zone transfers –> communications between DNS servers), which means that it is easy to send a packet coming from a fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn’t provide a minimum of protection against IP spoofing) .

The basics of DNS are outlined on the video ( at the end of this article)

The dnsspoof tool will simply forge a response (telling the client that the hostname resolves to its IP) and attempt to get it there before the real response from the intended DNS server arrives. Dnsspoof can forge responses for all DNS queries it receives, or you can create a file in hosts(5) format (called spoofhosts.txt , for example) that resolves only specific names to your local IP address and then run dnsspoof with the ” -f spoofhosts.txt”  option to have it lie about only these specific IP-host mappings. An example spoofhosts file is shown next (192.168.1.100 is the address of the machine running dnsspoof):

192.168.1.100 mail*
192.168.1.100 www*

This file tells dnsspoof to forge DNS responses only for hostnames beginning with mail or www instead of forging responses to every DNS query it intercepts.

Other than the same -i option that arpspoof takes to specify a network interface, the only argument dnsspoof takes is a tcpdump packet-filter expression for sniffing. It will use that expression to find any DNS traffic so that it can forge responses to any incoming queries on the LAN that it can see. If you first use arpspoof to spoof the MAC address of the intended DNS server, you can ensure that dnsspoof will always receive the DNS queries for the LAN and will always be able to respond with spoofed hostname/IP mappings. In the next example, 192.168.1.5 is the DNS server and 192.168.1.245 is once again our victim.

# echo 1 > /proc/sys/net/ipv4/ip_forward (enable port forwarding)
# arpspoof -t 192.168.1.245 192.168.1.5 &;
# arpspoof -t 192.168.1.5 192.168.1.245 &;
# dnsspoof -f  spoofhosts.txt host  192.168.1.245  and  udp  port 53

The first few commands set up the same bidirectional ARP spoofing that we used in the previous article (arpspoofing) . It allows us to fool 192.168.1.245 into thinking that we’re the Gateway (router) . The final command listens for DNS traffic involving 192.168.1.245, and any queries for hosts beginning with www or mail will be answered with an IP address of 192.168.1.100. Other DNS queries should be ignored and passed through to the real DNS server. So if 192.168.1.245 points his web browser at http://www.yahoo.com, he’ll actually be talking to the web server running on our machine, 192.168.1.100. Notice that we’ve been careful to specify the host 192.168.1.245 in our dnsspoof command. If we leave this out, dnsspoof will attempt to forge a DNS response to every DNS request it snoops, which is not what we want in this case.

Arpspoof and dnsspoof allow you to masquerade as different machines on a network. The benefits are obvious for malicious hackers, but can these two tools be used for good? Of course! In addition to network and firewall testing, system administrators could use the masquerading techniques to create a type of honeypot for potential “insider” hackers .

Just for completeness …. ,  dnsspoofing works on local networks , another technique exists “DNS Cache poisoning” , which is a totally different implementation . It is utilized by poisoning the cache of the DNS server itself . Although the basic concept remains the same , providing the DNS query with  a fake IP , it is utilized with a totally different technique . This is of course a story for another article 🙂 .   DNS Cache PoisoningDNS Cache PoisoningDNS Cache Poisoning

Protection against dns-spoofing can be accomplished through SSL communications ( HTTPS) . And of course , for very critical ( bank accounts )  communications we could manually assign the IP in the ” hosts ” file .

The basics of DNS :