DNS Spoofing Implementation
When the DNS server IP address is not configured or the route to the DNS server does not exist on the DNS proxy or relay that is enabled with DNS spoofing, the DNS proxy or relay sends a spoofing IP address as the domain name resolution result to any DNS client that sends a DNS query message.
DNS spoofing is applied to a dial-up network, as shown in Figure 4-3.
As shown in Figure 4-3, the device functions as the DNS proxy and connects to the network using the dial-up interface. The dial-up interface is triggered to set up a connection only when data packets are forwarded by the dial-up interface. When the device functions as the DNS proxy, hosts A and B consider the device as the DNS server. When the dial-up connection is set up, the device obtains the DNS server IP address using DHCP.
When receiving a DNS query message from a DNS client, the device not enabled with DNS spoofing sends a DNS query message to the DNS server when no matching entry is found. If the dial-up connection is not set up, the device cannot obtain the DNS server IP address. The device does not send a DNS query message to the DNS server or respond to the request from the DNS client. The domain name resolution fails. No data packet traffic triggers the dial-up interface to set up a connection.
DNS spoofing enables the device to send a spoofing IP address to the DNS client that sends a DNS query message regardless of whether the DNS server IP address is configured or the route to the DNS server exists on the device. Data packets sent by the DNS client trigger the dial-up interface to set up a connection.
- A DNS client sends a DNS query message to the DNS proxy for resolving the HTTP server domain name to an IP address.
- After receiving the DNS query message, the DNS proxy cannot send the correct IP address to the DNS client because no matching entry is found locally, no dial-up connection is set up, and the DNS server IP address is not obtained. The DNS proxy sends the spoofing IP address as the resolution result to the DNS client. The aging time of a DNS resolution response message is 0. A reachable route between the DNS client and the IP address in the response message must exist. The outbound interface of the route is the dial-up interface.
- After receiving the response message, the host sends an HTTP request to the IP address in the response message.
- The DNS proxy forwards the HTTP request using the dial-up interface. The traffic triggers the dial-up interface to set up a connection with the DNS server. Then the DNS proxy obtains the DNS server IP address using DHCP.
- After the DNS resolution response message is aged, the DNS client sends a DNS query message again.
- The DNS proxy sends the correct IP address to the DNS client.
- After obtaining the correct HTTP server IP address, the DNS client can access the HTTP server.