DNS Spoofing)

Author: Article Source: http://www.h4h4.com
Release date: Click: 5717
Font family: [small, medium, and large]

DNS Spoofing is a very complex attack method. However, it is easier to use than IP spoofing, so it is also common. The most recent case of attacks using DNS Spoofing is world-renowned network security.
The website that sells RSA Security is under attack. In fact, RSA
The host of the security website is not intruded, but the RSA domain name is hijacked by hackers. When a user connects to RSA Security, the home page is changed to another content.

First, let's take a look at how DNS works.

DNS is the Domain Name Server, which is a Domain Name Server. When a host sends a request to resolve a domain name, it first sends the resolution request to its own DNS server.

Assume that there is a host, heike.angel.com, whose DNS is cn.angel.com. Now it obtains www.xxx.com, but does not know its IP address, in this case, it will obtain the IP address of the domain name through DNS query. Now let's take a look at the entire process of domain name resolution!

First, heike.angel.com sends the resolution request to its DNS server,

Please solve www.xxx.com

Heike.angel.com __________________________________________ cn.angel.com

This name request sends port 53 of cn.angel.com from a randomly selected port of heike.angel.com, which is the binding port of the DNS server.

After cn.angel.com receives the resolution request, it starts parsing. For example, in the cache of www.xxx.com's IP address cn.angel.com, ask other DNS servers.

It first queries cn.angel.com and returns the query result to cn.angel.com.

May I ask the authoritative server of com?

Cn.angel.com ___________________________________________________ cn.internic.com

The IP address of the authoritative com Domain Name Server is 22.1.2.3.

Cn.angel.com ___________________________________________________ cn.internic.com

Here, cn.internic.com answers cn.angel.com. the authoritative DNS of the Com domain is ip22.1.2.3. However, cn.angel.com queries the address of the DNS server of the xxx.com subdomain from 22.1.2.3. Could you tell me the dns of the xxx.com subdomain?

Cn.angel.com ___________________________________________________ cn.internic.com

The dns of the xxx.com subdomain is 200.1.1.1.

Cn.angel.com ___________________________________________________ cn.inrernic.com

Now CN and angel.com know the IP address of the authoritative server in the xxx.com subdomain. Then it can ask the IP address of www.xxx.com.

Please www.xxx.com's IP address cn.angel.com ___________________________________________ 200.1.1.1

The IP address of www.xxx.com is 200.1.1.1.

Cn.angel.com ___________________________________________________ 200.1.1.1

Now cn.angel.com gets the IP address of www.xxx.com, And it returns the IP address to the heike.angel.com resolved by the request.

The IP address of www.xxx.com is 200.1.1.1.

Heike.angel.com _________________________________________________ cn.angel.com

After heike.angel.com knows the IP address of www.xxx.com, it can be connected to it. The whole domain name resolution process is over!

How DNS Spoofing works

Take it seriously! Don't worry!

When we see the above domain name resolution process, we will think, if cn.angel.com asks xxx.com's subdomain DNS server 200.1.1.1
When the IP address of www.xxx.com is used, we impersonate the IP address 200.1.1.1 for www.xxx.com. This IP address is a virtual address, as shown in
202.109.2.2, this cn.angel.com will return the address of 202.109.2.2 when www.xxx.com is returned to heike.angel.com
. When heike.angel.com is connected to www.xxx.com, it will turn to the fake IP address we provide. For www.xxx.com, even
Black. Because someone else cannot connect to his domain name.

This is the basic principle of DNS spoofing, but just like IP spoofing. There are still some technical difficulties in implementing DNS Spoofing. To understand these difficulties, we should look at the completion of the DNS query package.
Structure. An important domain in the DNS query package is called the ID. Used to identify the mark of each DNS packet and set it from the client. Returned by the server, which allows the customer to match the request and response. Let's take a look.
Maybe you will understand it.

Request the IP address of www.xxx.com

Cn.angel.com __________________________________________________ 200.1.1.1

At this time, the hacker only needs to use the fake 200.1.1.1 to cheat, and before the real 200.1.1.1 returns the cn.angel.com information, the hacker gives the queried IP address.

Cn.angel.com _____________ _______ 200.1.1.1

The IP address of www.xxx.com is 1.1.1.1.

______________________________________ Hacker

This process is intuitive. cn.angel.com sent a counterfeit DNS information package before 200.1.1.1, but as mentioned earlier
If a packet is not identified, the correct ID must be forged. That is to say, if this identifier cannot be identified, spoofing cannot be performed. This is easy to implement on the regional network, as long as an sniffer is installed,
(Sniffer I told you this last time I checked the Hacker defense line for 2002/11 months.) You can find this ID through the sleeves. But if it is on the internet
To cheat, you only need to send a large number of DNS information packages to improve the chance of providing the correct ID by taking chances. Next, let's take a look at the situation where the ID is sniffed by sniffer.
How to perform DNS spoofing.

Real-world DNS Spoofing Process

Continue with the above columns. Assume that we have successfully attacked any host in the 200.1.1.1 subnet and sniffed packets transmitted throughout the subnet by installing sniffer.
To obtain the ID we need, we can only observe the packages that are in and out. When the DNS server 200.1.1.1 issues a query package, it sets
ID, which can be accepted by the server only when the id value and IP address in the response packet are correct. This ID is automatically increased by 1 each time, so you can send a query package to the DNS server to be spoofed for the first time.
Listen to the ID value, and then send a query package, and then immediately send the response packet we constructed. The ID in the package is the predicted value. To improve the success efficiency, you can specify a range, such
The range of ID + 1 that you hear. For example, cn.angel.com sends a packet requesting www.xxx.com IP address to 200.1.1.1.
Hackers On 200.1.1.1 will be deceiving cn.angel.com.

Cn.angel.com → 200.1.1.1 [query]

Nqy: 1 NAN: 0 NNS: 0 assume: 0 qid: 6573

QY: www. XXX. Con

Among them, nqy and Nan are the flag spaces of the query package. When the two flag bits are "1", it indicates a query package. Then we can listen to this package on 200.1.1.1 and get the ID 6573. then we send a query to 200.1.1.1 so that it is busy responding to this package.

1.1.1.1 → 200.1.1.1 [query]

Nqy: 1 NAN: 0 NNS: 0 sad: 0

QY: other.xxx.com

Then the response packet with the predicted qid is sent.

200.1.1.1 → cn.angel.com [Answer]

Nqy: 1 NAN: 0 NNS: 0 assume: 0 qid: 6574

Qywww.xxx.com PTR

Anwww.xxx.com PTR 111.222.333.444

111.222.333.444 is the IP address specified by us. Note that when this package is sent, the ID is the ID value listened in front of it plus 1, which is what the primary school teacher told you
6574 + 1 = 6575. In this way, DNS Spoofing completes cn.angel.com, and 111.222.333.444 is the IP address of www.xxx.com.
. If 111.222.333.444 is a computer that has been controlled by us, you can change its home page to what we want. Then, when a spoofed user connects
Www.xxx.com. He thought the website had been hacked.

Defense against DNS Spoofing

So how can we defeat this attack? This is also very simple. You can directly access important services using IP addresses.

Rarely avoid DNS spoofing attacks. The most fundamental solution is to encrypt all external data streams,

For the server, try to use SSH and other protocols with encryption support.

Software such as PGP encrypts all data sent to the network. Easy to say and difficult to do!

Heikeangel forever

2002.10.1 completed