DNS spoofing
Figure 28: Application of DNS spoofing
DNS spoofing is applied to the dial-up network, as shown in Figure 28.
The device connects to the PSTN/ISDN network through a dial-up interface and triggers the establishment of a dial-up connection only when packets are to be forwarded through the dial-up interface.
The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established through the dial-up interface, the device dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms.
Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the DNS server, if it cannot find a match in the local domain name resolution table. However, without any dial-up connection established, the device cannot obtain the DNS server address and cannot forward or answer the requests from the clients. The domain name cannot be resolved and no traffic triggers the establishment of a dial-up connection.
DNS spoofing can solve the problem. DNS spoofing enables the device to reply the DNS client with a configured IP address when the device does not have a DNS server address or route to a DNS server. Subsequent packets sent by the DNS client trigger the establishment of a dial-up connection with the network.
In the network of Figure 28, a host accesses the HTTP server in following these steps:
The host sends a DNS request to the device to resolve the domain name of the HTTP server into an IP address.
Upon receiving the request, the device searches the local static and dynamic DNS entries for a match. If no match is found and the device does know the DNS server address, the device spoofs the host by replying a configured IP address. The TTL of the DNS reply is 0. Note that the device must have a route to the IP address with the dial-up interface as the outgoing interface.
Upon receiving the reply, the host sends an HTTP request to the replied IP address.
When forwarding the HTTP request through the dial-up interface, the device establishes a dial-up connection with the network and dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms.
When the DNS reply ages out, the host sends a DNS request to the device again.
Then the device operates the same as a DNS proxy. For more information, see "Operation of a DNS proxy."
After obtaining the IP address of the HTTP server, the host can access the HTTP server.
NOTE:
Because the IP address configured with DNS spoofing is not the actual IP address of the requested domain name, the TTL of the DNS reply is set to 0 to prevent the DNS client from generating incorrect domain name-to-IP address mappings.