DNS spoofing

Theory

DNS is not multicast or broadcast like LLMNR, NBT-NS or mDNS. In order to answer DNS requests, attacker first need to receive them. For instance, this can be achieved with ARP spoofing or DHCPv6 spoofing. DNS spoofing is basically setting up a DNS server and answering DNS queries obtained through man-in-the-middle technique.

Practice

Responder's (Python) DNS server feature can be used to answer DNS queries.

responder --interface "eth0"
responder -I "eth0"

dnschef (Python) can be used as a DNS server.

dnschef --fakeip 'Pentest_IP_Address' --interface 'Pentest_IP_Address' --port 53 --logfile dnschef.log

In order to spoof DNS requests, bettercap (Go) can be used. This tool can also be used for the first step of ARP spoofing or DHCPv6 spoofing.

set dns.spoof.domains $DOMAIN_FQDN
set dns.spoof.all true
dns.spoof on

Resources

dns.spoof :: bettercap

PreviousARP poisoning NextDHCP poisoning

Last updated 2 months ago