DNS Despoofing

06 Aug 2010

These days I was playing with some well-known tools to perform DNS spoofing in both *nix and windows environment: Dnsspoof (part of the dsniff suite) and WinDNSSpoof, of which I learned only recently.

I was analyzing the generation of DNS replies when I discovered something interesting. Can you spot where the problem is?

The DNS request:

Forged DNS request

The DNS response:

Forged DNS response

Is not difficult to see that, if a request is artificially forged to include arbitrary trailing bytes at the end, these bytes are replicated in the replies of simple DNS spoofers.

These tools, since the response must contain a copy of the hostname queried, simply copy that part of the request using memcpy(), without fully parsing the header.

Thanks to this little oversight, it's easy to find out if we are victims of a DNS attack that use one of these stateless tools. This may not be indispensable, for example, if the attacker is also conducting a MITM attack based on the ARP protocol: we just need to monitor the incoming ARP packets to detect anomalies.

This trick comes in handy when the attacker is located on the router, or on an intermediate host of our network. In this case he is already "in the middle", and just need to monitor the traffic that traverse his machine to capture DNS requests. We may thus detect him, only if we are able to differentiate its behaviour from the behaviour of a valid DNS server.

I wrote a script, quite easy to use, to test if a naive DNS spoofer is intercepting your requests. It’s based on the hping3 TCL shell, which provides a little framework for packet forging.

NOTE: I also considered scapy, but hping requires fewer dependencies and is more portable, and I always prefer not to add extra burdens to users or distributions maintainers. Being a maintainer can be a very frustrating experience when you have to fight against badly organized software. Remember to offer them a beer if you meet the maintainers of the distribution you use at a convention...

Let’s now see how to use the tool:

root@backtrack-base# hping3 exec dns_despoof.tcl
DNS Despoofer - crossbower - 2010
Usage: hping3 exec dns_despoof.tcl <server> <interface> (<action:search|crash>)

root@backtrack-base# hping3 exec dns_despoof.tcl vboxnet0 search

We just launched dns_despoof in search mode.

The IP address is the IP of the DNS server you normally use (e.g. for google's nameservers). You must also provide the interface where to inject the packet. I was running dnsspoof on a virtual machine so I specified the interface vboxnet0.

After running, the script correctly detected a spoofer.

There is also another mode available: crash. This mode injects a malformed packet on the network, in which the hostname requested is not terminated by a null character.

The tools that fail to properly parse the request will exhibit a nice segfault, as the case of WinDNSSpoof.

Dnsspoof, instead, uses the function dh_expand, contained in resolv.h, which is able to detect this type of error. A little snippet of dnsspoof:

if ((i = dn_expand((u_char *)dns, end, p, name, sizeof(name))) < 0)

The output of the tool when started in crash mode is the following:

root@backtrack-base# hping3 exec dns_despoof.tcl vboxnet0 crash
Bullet fired... Try again to search for spoofers:
1) No responses: the spoofer has probably crashed (windnsspoof).
2) Responses: it's a well written spoofer (dnsspoof).

A subsequent test in search mode will allow you to determine whether the tool crashed or not. This may also be used as a sort of fingerprint.

Here’s the source code of the tool. It’s only able to make a request with the name “google.com”, but can be easily adapted:

# DNS Despoofer
# crossbower - 2010
# Usage:
# hping3 exec dns_despoof.tcl <server> <interface> (<action:search|crash>)

# Search spoofers
proc search_spoofers { server interface } {

    # prepare and send DNS probe
    set probe {ip(daddr=,ttl=64)+udp(dport=53,sport=44556)+data(str=\2f\69\01\00\00\01\00\00\00\00\00\00\06\67\6f\6f\67\6c\65\03\63\6f\6d\00\00\01\00\01\70\69\7a\7a\61)};

    set probe [hping setfield ip daddr $server $probe];

    # send probe
    hping send $probe;

    # sniff loop
    while { 1 } {

        # sniff a single packet
        set p [lindex [hping recv $interface] 0];

        # is it the DNS response?
        if { [hping getfield ip proto $p]  != 17      ||
             [hping getfield ip saddr $p]  != $server ||
             [hping getfield udp sport $p] != 53      ||
             [hping getfield udp dport $p] != 44556 } {

        # get data
        set res_data [hping getfield data str $p];
        set result [string match "*pizza*" $res_data];

        if { $result == 0 } {
            puts "No spoofer detected...";
        } else {
            puts "SPOOFER DETECTED!";


# Crash spoofers
proc crash_spoofers { server interface } {

    # prepare and send DNS probe
    set probe {ip(daddr=,ttl=64)+udp(dport=53,sport=44556)+data(str=\2f\69\01\00\00\01\00\00\00\00\00\00\06\67\6f\6f\67\6c\65\03\63\6f\6d\01\00\01\00\01\70\69\7a\7a\61)};

    set probe [hping setfield ip daddr $server $probe];

    # send probe
    hping send $probe;

    puts "Bullet fired... Try again to search for spoofers:\n1) No responses: the spoofer is probably crashed (windnsspoof).\n2) Responses: it's a well written spoofer (dnsspoof).";

# Usage
proc usage {} {
    puts "DNS Despoofer - crossbower - 2010\nUsage:\n  hping3 exec dns_despoof.tcl <server> <interface> (<action:search|crash>)";
    exit 250;

# Main

# get dns server
set server [lindex $argv 0];
set interface [lindex $argv 1];
set action [lindex $argv 2];

# check args
if { $server == "" || $interface == "" } { usage }

# simple trick to initialize libpcap
set p [lindex [hping recv $interface 1] 0];

# check action
if { $action == "" || $action == "search" } {
    search_spoofers $server $interface;
} elseif { $action == "crash" } {
    crash_spoofers $server $interface;
} else {

exit 0;

The same code on pastebin: http://pastebin.com/78y4snFk.