jump to navigation

DNS spoofing with “dnsspoof” on Linux March 3, 2011

Posted by Tournas Dimitrios in Linux admin tools.

Dnsspoof is a member of the Dsniff suit toolset and  works similarly to arpspoof . It lets you forge DNS responses for a DNS server on the local network . DNS runs on User Datagram Protocol (UDP), a connectionless protocol, a DNS client will send out a query and expect a response . The query is assigned a pseudo random identification number  which should be present in the answer from the DNS server. Then when the answer from the DNS server will be received , it will just have to compare both numbers if they’re the same, the answer is taken as valid, otherwise it will be simply ignored . The DNS protocol relies on UDP for requests (TCP is used only for zone transfers –> communications between DNS servers), which means that it is easy to send a packet coming from a fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn’t provide a minimum of protection against IP spoofing) .

The basics of DNS are outlined on the video ( at the end of this article)

The dnsspoof tool will simply forge a response (telling the client that the hostname resolves to its IP) and attempt to get it there before the real response from the intended DNS server arrives. Dnsspoof can forge responses for all DNS queries it receives, or you can create a file in hosts(5) format (called spoofhosts.txt , for example) that resolves only specific names to your local IP address and then run dnsspoof with the ” -f spoofhosts.txt”  option to have it lie about only these specific IP-host mappings. An example spoofhosts file is shown next ( is the address of the machine running dnsspoof): mail* www*

This file tells dnsspoof to forge DNS responses only for hostnames beginning with mail or www instead of forging responses to every DNS query it intercepts.

Other than the same -i option that arpspoof takes to specify a network interface, the only argument dnsspoof takes is a tcpdump packet-filter expression for sniffing. It will use that expression to find any DNS traffic so that it can forge responses to any incoming queries on the LAN that it can see. If you first use arpspoof to spoof the MAC address of the intended DNS server, you can ensure that dnsspoof will always receive the DNS queries for the LAN and will always be able to respond with spoofed hostname/IP mappings. In the next example, is the DNS server and is once again our victim.

# echo 1 > /proc/sys/net/ipv4/ip_forward (enable port forwarding)
# arpspoof -t &;
# arpspoof -t &;
# dnsspoof -f  spoofhosts.txt host  and  udp  port 53

The first few commands set up the same bidirectional ARP spoofing that we used in the previous article (arpspoofing) . It allows us to fool into thinking that we’re the Gateway (router) . The final command listens for DNS traffic involving, and any queries for hosts beginning with www or mail will be answered with an IP address of Other DNS queries should be ignored and passed through to the real DNS server. So if points his web browser at http://www.yahoo.com, he’ll actually be talking to the web server running on our machine, Notice that we’ve been careful to specify the host in our dnsspoof command. If we leave this out, dnsspoof will attempt to forge a DNS response to every DNS request it snoops, which is not what we want in this case.

Arpspoof and dnsspoof allow you to masquerade as different machines on a network. The benefits are obvious for malicious hackers, but can these two tools be used for good? Of course! In addition to network and firewall testing, system administrators could use the masquerading techniques to create a type of honeypot for potential “insider” hackers .

Just for completeness …. ,  dnsspoofing works on local networks , another technique exists “DNS Cache poisoning” , which is a totally different implementation . It is utilized by poisoning the cache of the DNS server itself . Although the basic concept remains the same , providing the DNS query with  a fake IP , it is utilized with a totally different technique . This is of course a story for another article 🙂 .   DNS Cache PoisoningDNS Cache PoisoningDNS Cache Poisoning

Protection against dns-spoofing can be accomplished through SSL communications ( HTTPS) . And of course , for very critical ( bank accounts )  communications we could manually assign the IP in the ” hosts ” file .

The basics of DNS :


1. ahmed - January 11, 2013

Thanks for great info i learned much .

2. Leo - January 10, 2014

very good article, keep it up

tournasdimitrios1 - January 10, 2014

You are welcome 🙂

3. domenukk - February 2, 2014

Hi, I’ve actually found a strange legal usecase for DNS Spoofing… I have set up NAT in my router but strangely enough, the services are only accessible from the outside of my lan.
As I can’t edit the hosts file on my Laptop, I think I have to give this a try. 😀

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s