how can I use dig to initiate DNS cache poisoning so that all queries sent to the server will return my IP address instead? I tried researching this but I am yet to find the ideal answer.
Asked
Active
Viewed 865 times
1 Answers
2
With a DNS cache poisoning attack, an attacker can make the DNS server return wrong results. Typically, this is done by requesting a domain under the attacker's control. While it is possible to poison the entries for multiple victim domains, the attack is usually performed against one or a couple of victim domains. It is not possible to poison all domains with this attack.
The DNS server forwards this request to the nameserver of the attacker, and may initiate multiple requests for various subdomains. There are 2 typical attack variants:
- The response of the attacker's nameserver includes additional records for the victim's domain.
- The attacker tries to find out the UDP port assignment scheme, in order to guess how a valid reply would look. The attacker then requests the victim's domain and immediately sends a fake response, hoping for their response to beat the victim's.
dig is a client-side tool you can use to initiate the request. In order to perform a DNS poisoning attack, you need to have a nameserver at your domain under your control (or use a suitably-configured one set up by somebody else).
For variant 1, the request must be for the attacker's domain name and go to the target DNS server.
For variant 2, after an initial request to determine the server's UDP port assignment scheme, you can use dig to send a request for the victim domain.
In any case, after the attack, you can use dig to confirm that the attack was successful, simply by requesting the victim domain and record type you poisoned and seeing whether this is the fake or real value.
To find about about how to run dig, refer to its manpage.
phihag
- 278,196
- 72
- 453
- 469