how DNS spoofing technique works ?

mohammed hashim · ‎12-12-2015

hi,

Attacker-----R1------R2

so the attacker is in the LAN, R1 is the local DNS server, R2 is public DNS Server.

when we want to configure DNS spoofing:

R1:
ip name-server 2.2.2.2
ip domain lookup
ip dns server
ip dns spoofing 1.1.1.1

can someone please tell me how it works ?

pdub206 · ‎12-12-2015

Please refer to this doc on DNS spoofing:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/12-4t/dns-12-4t-book/dns-config-dns.html#GUID-C9E9429A-E599-455C-9206-26DB6ED86665

According to the document you must have one of the following conditions satisfied:

This feature turns on DNS spoofing and is functional if any of the following conditions are true:

The no ip domain lookup command is configured.
IP name server addresses are not configured.
There are no valid interfaces or routes for sending to the configured name server addresses.

So you would have to disable either ip domain lookup or remove a name-server address. Secondly, the actual process is listed as such:

The router will respond to the DNS query with the configured ip-address when queried for any hostname other than its own.
The router will respond to the DNS query with the IP address of the incoming interface when queried for its own hostname.

Lastly, it sounds as if you should specify an actual DNS server with your spoofing command.

I hope that helps.

Throwing packets since 2012

Ganesh Hariharan · ‎12-12-2015

Hello Mohammed,

As you know DNS spoofing is a Man in the Middle technique used to supply false DNS information to a host so that when they attempt to browse and attacker can easily steal online banking credentials and account information from unsuspecting users.

Have a look on the below link which explains DNS spoofing in depth.

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part2.html

Hope it Helps..

-GI