The experiment is based on Linux system, configured with BIND9 service machine
The outline
- Locally modify the Host file redirection path to the specified address
- Spoofing DNS queries of users
- On the same LAN, spoofing attacks are performed on DNS queries of the DNS server
- Spoofing attacks are performed on DNS queries of DNS servers on different Lans
Environment configuration
Each of the three virtual machines would be assigned AN IP address (User = 192.168.0.100, DNS Server = 192.168.0.10, and Attacker = 192.168.0.200), as shown in the figure below.
DNS Server configuration:
- Modify/etc/bind/named. Conf. The options file, add the dump, the db as DNS cache file, use chmod by dump. The db file permissions (777).
- Example Set the local zones of the DNS Server to example.com and 192.168.0.x
- Restart the Bind9 service
User configuration:
- Set User’s default DNS server to 192.168.0.10 Attacker:
- Set the default DNS server for the Attacker to 192.168.0.10
The external gateway of the three machines is set to the default gateway assigned by the virtual network adapter in NAT mode of VMware, which is 192.168.139.2
Network configuration after DNS Server configuration:
content
Example Modify the local host file
Add www.example.com to the Host file where the User resides and redirect it to 127.0.0.1
As shown in the figure, ping www.example.com successfully to obtain the DNS resolution IP address set by myself in 1.2.3.4
Spoofed the DNS query back to User
When the User sent a DNS query to the DNS Server, the Attacker would listen for the DNS query request and reply to the User with a forged DNS Response before the DNS Server could reply with the correct DNS Response. Thus achieving DNS spoofing effect.
In the experiment, we borrowed Netwox/Netwag Tool 105 for DNS spoofing. The specific Settings are as follows
The experimental effect obtained is
Local DNS Attack
The Attacker eavesdropped on the DNS Server’s OUTGOING DNS Query when the DNS Server challenged the Root DNS Server and forged a DNS Response to the Attacker. In this way, the DNS Server has DNS Cache, and the TTL is set to a long length, so that efficient DNS attacks can be achieved.
Surprise! 500GB network security learning materials, 👉 stamp this free access
In the experiment, we borrowed Netwox/Netwag Tool 105 for DNS spoofing. The specific Settings are as follows
The experimental result obtained is
DNS Cache in DNS Server:
The Dig command in User results in:
Remote DNS Attack
A normal DNS query looks like this
But we can simplify it like this
The Attacker could not listen for DNS Query packets of a DNS Server because it was not on the same LAN, so the method used was to fully enumerate the TRANSACTION ID that would have to be completed before the actual DNS Response could come. To simplify the experiment, we set the UDP port to 33333, so we don’t need to enumerate the UDP port variable.
Ns.dnslabattacker.net is not a legitimate domain name, so the DNS Server needs to authenticate it or it will not be stored in the DNS Cache, so it needs to configure the DNS service in the Attacker machine. Use ns.dnslabattacker.net as the local zone for this DNS.
Check out the results:
The Attacker would issue DNS Query and DNS Respose packets to DNS:
Then use Wireshark to view the received packets on the DNS Server:
DNS Server Cache
Dig aaaaa.example.edu in User
