DNS spoofing technology

Source: Internet
Author: User
Tags dns spoofing

Author: Spacefox, Secure Sphere Crew
Conan, OS3 (Open Source Software Society)/CICC Singapore (Center of International Cooperation for Computerization in Singapore)
Source: evil baboons Information Security Team (www.eviloctal.com)

Overview: What is DNS spoofing?
DNS Spoofing is the art of changing the original IP address of DNS. For better understanding, let's look at an example. If you want to use a browser to search for some information on google, you can enter the information in the address bar without a doubt.


And press Enter.
So what is going on behind this? In general, your browser will send a request to the DNS server to request


If the IP address matches, the DNS server will tell your browser the IP address of google, and then your browser will connect and display the homepage content. Oh, wait a moment. The webpage you opened says that google has no money to pay for the website and transferred it


. You may be surprised and call to tell your friends. Of course, your friends will laugh at you crazy, because your friends can log on to google and search for it. Are you sure the IP address you are communicating with is friendly? Maybe you have become a sheep in the circle. When you enter http: // in the browser address and press enter, you will find that, in fact


Still healthy.
In fact, this is what witnesses may see during DNS hijacking.
Imagine how bad it would be if the page to jump to is hang silently
Are you eager to know about the xuanjicang? Does the DNS server give us an incorrect IP address? Maybe so. At least, this is the most logical answer in our minds.
Click here to open an image in a new window

In fact, there are two ways to achieve DNS hijacking. Let's take a look at the first "dns id spoofing" technology.
A) DNS high-speed buffer memory Paralysis)
As you can imagine, the DNS server cannot store all existing domain names or IP addresses in its own buckets. This is why the DNS server has a cache, which allows the server to store DNS records for a period of time.
In fact, a DNS server only records authorized hosts in its own domain. if it wants to know other information about hosts outside its own domain, you must send a request to the registrant (another DNS server). In addition, the DNS server records the information returned by the other DNS server in order not to send the request every time.
Now let's take a look at how DNS caches are paralyzed.
Attackers have their own domain (attacker.net) and an attacked DNS server (ns.attacker.net ). Note! I am talking about the attacked DNS server, because the attacker has customized the records of his own DNS server. For example, the record can be

Www.google.com =

1) attackers send request queries to your DNS server.

2) your DNS server does not know the IP address of this host. Because it does not belong to its own domain, all your DNS servers will ask the DNS server in the domain of this host.
3) The hacked DNS server will reply to your DNS server, and it will also give all its records (including connections)


Note that this process is called zone transfer.

Click here to open an image in a new window

4) This is because your DNS server has not been paralyzed. The attacker gets his own IP address, but his goal is not to get the address of his network server, but to force the zone transfer to paralyze your DNS server until its cache is not clear or updated.

Click here to open an image in a new window

5) Now, if you ask your DNS server about


It will tell you, which is where the attacker's server is! Now attackers can do whatever they want, such as hanging horses or something ...... Of course, this also caused considerable losses to google!
B) DNS ID Spoofing (DNS ID Spoofing)
We can see that when Host X wants to contact host Y, it requires a recent IP address. However, in most cases, X only has the Y name. In this way, the DNS protocol solves the problem of name-to-IP address.
Therefore, X will ask the DNS server of its domain for the IP address of Y. In the meantime, Host X allocates a random number, which will also appear in the information returned from the DNS server. When X receives a response, X compares the two numbers. If the two numbers are the same, the received information is regarded as valid.
Is such a model safe? Not very secure. Anyone can organize an attack to obtain this ID. For example, if you use LAN, someone else can use the sniffer to capture your request ID, and then forge a reply according to this ID ...... However, the information contains the IP address selected by the attacker. If not identified, X considers the IP address provided by the attacker as Y.
By the way, DNS requests depend on UDP (TCP is used only when zone transfer is used), which means sending a forged packet is extremely simple, because there is no SYN/ACK number (unlike TCP, UDP does not provide protection against small IP Spoofing)

Click here to open an image in a new window

Click here to open an image in a new window

However, such attacks are limited. In my above example, an attacker blocks an ID with a sniffer and replies a constructed packet to the victim host.
In other words, even if the attacker intercepts the request, the packets will still be transmitted to the DNS server, the DNS server will also reply (unless the attacker intercepts and blocks requests to the gateway or implements ARP cache paralysis, it will be possible to attack in the conversion network ).
This means that the attacker must reply before the real DNS server, that is, to successfully attack, the attacker must be on the same LAN as the attacker, only in this way can he get a fast ping and capture the packets of the other party.
Example (for test purpose only)
How to hijack our local network connection:
1. paralyze the attacker's ARP cache (the specific tools and instructions can be found in


2. At this time, the export data packet of the target host will be redirected to your host, but it must be forwarded to the real gateway. We can use a tool similar to Winroute Pro.
3. To implement dns id spoofing, we use the tool developed by valgasu.


(Install Winpcap before using this tool. See


Enter a similar command in the command line:


-I 00-C0-26-DD-59-CF-v
This command causes


Point to
Among them, 00-C0-26-DD-59-CF is the MAC address of the gateway or DNS server.
Tips: in Windows NT kernel, you can use the nbtstat-A xxx. xxx command in CMD to query the MAC address of A remote IP address.
Warning: Remember! Using these methods without authorization is forbidden!
C) Precise attacks based on the birthday paradox
What is the "birthday paradox "?
The "birthday paradox" is named after a mathematical model that produces strange phenomena. If there are 23 people together, it is very likely that two of them have the same birthday. It is not that difficult to understand.
If you ask someone about his birthday at a party, the probability of his birthday being different from yours is 364/365 = 0.997, and the same probability is 1-364/365 = 0.003.
Now, if you ask another person again, his birthday is different from the previous one, and his probability is (364/365) * (363/365) = 0.992, so we can at least push that the probability of two people having the same birthday is 1-0.992 = 0.008.
If we continue with this calculation, we will soon be able to calculate that two of the 23 people have the same probability of birthday as 50%. We can see from the following C code how the probability approaches 1.

Copy code

# Define POSSIBILITIES 365.0
Void main (void)
Float chances;
Int I, j;
For (I = 1; I
If you cannot compile the file, you can view the following results:
If you cannot compile the file, you can view the following results:

Birthday paradox is widely used in hash function Detection: the number of collision tests in a hash table with N-bit length is not 2N, but 2N/2. This conclusion is applied to the birthday attack of cracking cryptographic hash functions.
The theory hidden in the birthday question has been applied in the statistical experiment [Schnabel 1938] named capture-recapture to estimate the number of fishes in the lake.
Okay. Now let's go back to my attack test. In the most common DNS spoofing attacks mentioned above, we are listening to (SNIFFING) the network to get the ID number from X, then, the system replies with the same ID containing only the IP address provided by the attacker.
As I said before, such attacks require sniffing the DNS data generated by X in the network. Does this mean that attackers cannot use sniffer to launch attacks?
How about "Guess" ID?
Why not? But the ID number is composed of two bytes, which means there are 65535 possible values! That is to say, if an attacker wants to launch a successful attack, he needs to construct 65535 forged replies with different IDCs. In this way, at least one package is available.
For such attacks, we need a good bandwidth, and most importantly, we do not know when to send forged replies. He must first know that the other party has a request, and then send a reply immediately (before the reply from the DNS server is true.
Let's look at the problem from another perspective. We know that it is possible to directly paralyze the DNS server. Recall that the attacker wanted DNS server to ask for resolution


Thanks to the malicious zone transfer record from ns.attacker.net, attackers can paralyze the DNS server's high-speed cache. It is worth mentioning that the limitation of such attacks is that attackers must run their own DNS servers with malicious records.
In this analysis, If attackers cannot sniff your network data or have no servers, do they mean you are away from DNS hijacking technology?
The answer is, none of them.
As I mentioned earlier, the DNS protocol uses UDP to reply. UDP is not a connection protocol, and there is no process like TCP three-way handshake. Therefore, this makes it very easy to use any IP address you choose to send a UDP packet. So why attackers

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.