Introduction to DNS Cache Poisoning (or DNS Spoofing)
Domain Name System (DNS) is a hierarchical system used across networks as a naming system that resolves human-readable domain names such as www.example.com into machine-usable IP addresses like 192.0.2.1
DNS Cache Poisoning is an attack that's also known as DNS Spoofing. It's a type of cyber attack where hackers exploit vulnerabilities in the Domain Name System (DNS). This diverts traffic from legitimate servers to malicious ones. The hacker does this by corrupting the DNS cache, which is a temporary database maintained by a DNS server. It holds records of all the recent visits and attempted visits to websites and other domains.
You know how DNS servers resolve human-readable domain names into IP addresses right? When you type in www.example.com
, it takes you to 93.184.216.34
. Well, when a user wants to visit a website, their computer sends a DNS query through the network until it reaches a DNS server that can figure out what IP address matches with that domain name. From there, they establish connection.
So during this attack, hackers want to insert false entries into that DNS cache I mentioned earlier on. This way, requests for a legitimate site are shot somewhere else entirely; somewhere controlled by the attacker themselves. This malicious site can be used for phishing information or spreading malware, among other things like stealing sensitive information too.
Demonstration of DNS Spoofing using DNSMASQ
In this lab, we’ll explore DNS spoofing by performing it on a Kali Linux attacker machine with Metasploitable as the victim. We’ll use
- dnsmasq which is a lightweight DNS forwarder and DHCP server, which can be used to set up a malicious DNS server and
- ettercap to execute the attack which is a comprehensive suite for man-in-the-middle attacks on LAN
You can refer to Setup Lab Environment for CompTIA PenTest+ Exam (PT0-002) if you don't have a lab to practice the DNS cache positioning.
- Kali Linux: Your attacker machine where you’ll run DNS spoofing tools.
- Metasploitable: A victim/target machine for the attack. Make sure it uses the attacker’s DNS server.
- Network Configuration: All VMs in your lab should be on the same virtual network so they can talk to each other.
Step 1. Configure the Malicious DNS Server with dnsmasq
First let's start with the installation of dnsmasq (if not installed already).
apt-get install dnsmasq
Configure dnsmasq to perform the DNS spoofing. Add the following line to redirect all DNS requests for example.com
to the attacker's IP address. Replace 10.10.1.10
with your Kali Linux VM's IP address:
sudo nano /etc/dnsmasq.conf address=/example.com/10.10.1.10
Restart dnsmasq to apply the changes:
sudo systemctl restart dnsmasq
Ensure dnsmasq is running:
sudo systemctl status dnsmasq
Step 2: Perform DNS Spoofing with ettercap
On Kali Linux, launch ettercap
in graphical mode:
sudo ettercap -G
In the ettercap GUI, select Sniffing at startup, choose your sniffing interface and save.
Scan for hosts on the network: Hosts > Scan for hosts.
Select Hosts > Hosts list. You can modify the list by using the Right click on individual host. For my sake I will remove some of the hosts and keep 10.10.1.11
and 10.10.1.12
only for spoofing.
Start ARP poisoning: MITM > ARP poisoning.
Ensure "Sniff remote connections" is checked and confirm.
Now that ARP poisoning is set up, all traffic from the Metasploitable VM should flow through the Kali Linux VM, allowing you to intercept and manipulate DNS requests.
Step 3: Demonstration of the Attack
On the Metasploitable VM, when a user attempts to navigate to example.com
, the DNS request will be intercepted by the Kali Linux VM. Due to the dnsmasq configuration, the request will be redirected to the malicious IP address specified in dnsmasq, simulating a DNS spoofing attack.
To test the same you can connect to Metasploitable VM terminal or console and execute:
nslookup example.com 10.10.1.10
Replace 10.10.1.10
with the address you have given for DNS resolution in dnsmasq. This command tells nslookup
to resolve example.com
using the DNS server at 10.10.1.10
. If your DNS spoofing setup is working correctly, the response should show the spoofed IP address you configured in dnsmasq, not the real IP address of example.com
.
dig
is another DNS querying tool that is more flexible than nslookup
and provides detailed information about the query. Execute the following command, substituting example.com
with your target domain and 10.10.1.10
with the IP address of your Kali Linux DNS server:
dig @10.10.1.10 example.com
The output will provide detailed information about the DNS query, including the ANSWER SECTION, which shows the spoofed IP address if your DNS spoofing is successful.
Step 4. Analyzing the results with Wireshark
I have triggered tcpdump to capture the packet trace between Metasplotable and Kali Linux VM so we can also validate the outcome on Wireshark. I have executed the following command on Kali Linux and then executed nslookup from Metasplotable VM
tcpdump -i eth0 -w /tmp/dns_spoofing.pcap
Here is a snippet of Wireshark packet capture for the response received:
The Answers section lists example.com and the spoofed IP Address which we had setup with dnsmasq.
Demonstration of DNS Spoofing using ETTERCAP
Ettercap will be installed by default on Kali Linux. We will use the same setup with Metasploitable and DVWA which will act as a client sending DNS request which will be spoofed by Ettercap on Kali Linux.
Step 1: Configuring Ettercap for DNS Spoofing
Ettercap's functionality extends beyond ARP poisoning to include a DNS spoofing plugin, which we'll configure to intercept and modify DNS queries on the fly. Modify /etc/ettercap/etter.dns
and append entry for the domains you wish to spoof with the corresponding address you want them to resolve to. In our case we will use example.com and resolve it to our kali Linux's IP i.e. 10.10.1.10
.
example.com A 10.10.1.10
Step 2: Enabling IP Forwarding
To ensure that your machine can forward the intercepted traffic, enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Step 3: Install DNS Spoof Plugin
We need to install DNS spoof plugin which can be installed either via GUI or CLI. If you are using GUI session then navigate to Plugins in the Menu and select Manage plugins
Next you will get a list of supported plugins. Select dns_spoof and right click on it, click on Activate to activate the plugin.
You should see a message as Activating dns_spoof plugin… which would mean that the plugin is active.
If you are interested in CLI method then you can execute below command which also should return the same output (Replace <interface>
with your actual interface such as eth0
):
ettercap -Tq -M arp:remote -P dns_spoof -i <interface>
Step 4: Monitoring and Verification
While Ettercap runs, it's vital to monitor the network to ensure the spoofing is effective. You can now connect to DVWA or Metasploitable VM terminal or console and re-execute the nslookup and dig command I gave in the previous section:
dig @10.10.1.10 example.com nslookup example.com 10.10.1.10
The output should onfirm DNS requests for the targeted domains are redirected to the specified IP addresses. You can also monitor the ettercap output:
dns_spoof: A [example.com] spoofed to [10.10.1.10] TTL [3600 s] dns_spoof: A [example.com] spoofed to [10.10.1.10] TTL [3600 s]
Summary
Cyberattackers use DNS cache poisoning or DNS spoofing to manipulate domain name system (DNS) responses, redirecting users to fraudulent websites and thereby compromising internet communication. These attackers exploit vulnerabilities in the DNS protocol, slipping fake address records into the DNS cache. Legitimate requests are redirected to malicious sites as a result. This event might lead to the theft of sensitive information, malware distribution, or phishing scams. Understanding and defending against this particular kind of cyber attack is pivotal for maintaining network infrastructure security and protecting users from any potential threats and privacy breaches down the line.