Man-in-the-middle attack-principle, practice, and defense of DNS Spoofing

0 × 01.1 Domain Name System)

DNSDomain Name SystemDomain Name System Maps domain names and IP addresses in the form of a distributed database. The DNS protocol is the domain name resolution protocol. Simply put, DNS is used to resolve domain names. With DNS, we don't need to remember annoying IP addresses. We can access the server with a relatively memorable domain name. Even if the server has changed the IP address, we can still access the server through the domain name, this makes it easier for us to access the Internet.

To help me understand how DNS works, I made a simple figure:

If we want to access www.baidu.com, we must first send a DNS request to the local DNS server to query the IP address of www.baidu.com. If the local DNS server does not find the website record in its DNS Cache table, the root server initiates a query to the root server. After receiving the request, the root server returns the address of the com Domain Server to the local DNS server, and the local DNS server continues to send a query request to the com domain, the Domain Server Returns the address of the Domain Name Server authorized by baidu.com to the local DNS server. The local DNS server continues to initiate a query to baidu.com to obtain the IP address of www.baidu.com. After obtaining the IP address corresponding to www.baidu.com, the local DNS server transmits the IP address to the user in the form of a dns response packet and creates a DNS Cache table locally. Command for viewing and clearing the DNS Cache table in Windows: ipconfig/displaydns ipconfig/flushdns

0 × 01.2 DNS Spoofing Principle

Although DNS plays such an important role in the Internet, when designing the DNS protocol, the designers did not consider some security issues, leading to the security risks and defects of DNS.

DNS Spoofing uses a very serious security defect in the DNS protocol design.

First, the attacker sends a constructed ARP response packet to the target machine. (For more information about ARP spoofing, see man-in-the-middle attack-principles, practices, and defense of ARP spoofing, sniff the DNS request packet sent by the other party, analyze the data packet to obtain the ID and port number, and send a self-constructed DNS response packet to the target. After the other party receives the DNS response packet, it is found that all the IDs and port numbers are correct, that is, the domain names and corresponding IP addresses in the returned data packet are saved in the DNS Cache table, and when the real DNS response packet is returned, it is discarded.

Assume that the DNS request packet sent from the target has the following content:
Source address: 192.168.1.57
Destination address: ns.baidu.com
Source port: 1234
Destination port: 53 (DNS port)
Data: www.baidu.com

Our forged DNS response package is as follows:
Source address: ns.baidu.com
Destination address: 192.168.1.57
Source port: 53 (DNS port)
Destination port: 1234
Data: www.baidu.com 192.168.1.59

After receiving the response packet, the target host saves the domain name and corresponding IP address in the DNS Cache table,
In this way, the address of www.baidu.com is directed to 192.168.1.59.

 

 

0 × 02.1 DNS Spoofing

Like ARP spoofing, DNS spoofing can also be called DNS poisoning. It is a man-in-the-middle attack. I still use virtual machines to simulate DNS spoofing attacks.

The tool used is Ettercap.

First, let's look at the Target target,

Obviously, the IP address directed to www.baidu.com is correct. Then we use ettercap to perform DNS Spoofing. First, find etter. dns configuration file and edit and add A record, direct www.baidu.com to the local IP address to save and exit, use ettercap to start spoofing: Then let's take A look at the attacked Host: as you can see, access to the domain name www.baidu.com on the target host has been directed to 192.168.1.59. Access to the domain name in the browser will be directed to a previously established WEB server. This is a successful DNS spoofing attack., I don't mean that everyone knows that it is common to be used for phishing, Trojans, and so on.

Prevention of DNS Spoofing from 0 × 02.2

DNS Spoofing is difficult to effectively defend against, because it is often discovered after being attacked. This cainiao puts forward the following suggestions to avoid DNS spoofing. ARP spoofing is also required for successful DNS spoofing. Therefore, we must first prevent ARP spoofing attacks. 2. do not rely on DNS, although this will be inconvenient, you can use the hosts file to implement the same function, Hosts file location: windows xp/2003/vista/2008/7 HOSTS file location c: \ windows \ system32 \ drivers \ etc open in notepad to modify. 3. Use security detection software to regularly check if the system is under attack 4. Use DNSSEC, DNSSEC details: http://baike.baidu.com/view/3421039.htm