DNS Spoofing with Dnsmasq

28133

DNS spoofing is a nasty business, and wise Linux admins know at least the basics of how it works. We’re going to learn the basics by doing some simple spoofing with Dnsmasq.

Dnsmasq has long been my first choice for LAN name services. It provides DHCP, DNS, and DHCP6, and it also provides a PXE/TFTP boot server. It performs router advertisement for IPv6 hosts, and can act as an authoritative name server. (See Dnsmasq For Easy LAN Name Services to learn the basics.)

DNS Spoofing Bad

DNS spoofing is a bad thing. A couple of legitimate uses I can think of are easier testing of locked smartphones, when they need to be jailbroken to edit their hosts files, or playing “funny” pranks on the people who use your Dnsmasq server. DNS spoofing is forgery; it’s faking a DNS entry to hijack site traffic. Some governments and businesses do this to control their people’s Internet activities. It is an effective monkey-in-the-middle trick for eavesdropping and altering packets. HTTP sessions are sent in the clear, so an eavesdropper sees everything. HTTPS sessions are also vulnerable; packet headers are not encrypted (they can’t be, as random routers need to read them), and there are tools like sslstrip that break SSL.

The good news is that DNS spoofing is self-limiting, because it only works on DNS servers that you control, and savvy users can find other servers to use.

Conquering Network Manager on Ubuntu

Network Manager is nice when you’re running your machine as a client, especially for auto-configuring wireless interfaces, but it has its quirks when you want to do anything your way, like run Dnsmasq. The easy way is to disable Network Manager and manually configure your network interface; then you can play with Dnsmasq without fighting Network Manager.

Another way is to make them play nice together. On Ubuntu, Network Manager uses dnsmasq-base, which is not the complete Dnsmasq. Follow these steps to get real Dnsmasq up and running:

  • sudo apt-get install dnsmasq resolvconf
  • Comment out dns=dnsmasq in /etc/NetworkManager/NetworkManager.conf
  • Stop Dnsmasq with sudo killall -9 dnsmasq
  • After configuring Dnsmasq, restart Network Manager with sudo service network-manager restart

Then configure and start Dnsmasq as shown in the following steps.

Simple Dnsmasq Spoofing

Install Dnsmasq and then create a new empty /etc/dnsmasq.conf. Save a copy of the original installed copy as a reference, and you should also have dnsmasq.conf.example somewhere, depending where your particular Linux flavor puts it.

Add these lines to /etc/dnsmasq.conf. Replace 192.168.1.10 with your own IP address:

server=208.67.222.222
server=208.67.220.220
listen-address=127.0.0.1
listen-address=192.168.1.10
no-dhcp-interface=
no-hosts
addn-hosts=/etc/dnsmasq.d/spoof.hosts

The server lines configure which DNS servers handle your Internet DNS requests. This example uses the free OpenDNS servers.

listen-address tells Dnsmasq which addresses to listen on. You must enter 127.0.0.1, and then also the IP address of your machine.

no-dhcp-interface= disables the built-in DHCP server, for fewer complications.

no-hosts disables reading /etc/hosts, again, to keep our testing as simple as possible.

addn-hosts names the file that you are going to enter your DNS spoofs in. It uses the same format as /etc/hosts. For testing purposes you can use fake IP addresses, like this:

192.168.25.101 www.example.com example.com
192.168.25.100 www.example2.com example2.com

Replace example.com with a real site name. Now start Dnsmasq from the command line:

$ sudo dnsmasq --no-daemon --log-queries
dnsmasq: started, version 2.75 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt 
DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack 
ipset auth DNSSEC loop-detect inotify
dnsmasq: using nameserver 208.67.220.220#53
dnsmasq: using nameserver 208.67.222.222#53
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 208.67.220.220#53
dnsmasq: using nameserver 208.67.222.222#53
dnsmasq: ignoring nameserver 127.0.0.1 - local interface
dnsmasq: read /etc/dnsmasq.d/spoof.hosts - 2 addresses

Ctrl+c stops it. This shows that Dnsmasq sees my upstream DNS servers and my spoof file. Test your spoof with the dig command:

$ dig +short @192.168.1.10 example2.com
192.168.25.100

You should see this in your Dnsmasq command output:

dnsmasq: query[A] example2.com from 192.168.1.10
dnsmasq: /etc/dnsmasq.d/spoof.hosts example2.com is 192.168.25.100

Fake Sites

If you successfully trick someone into using your spoof server, you can capture and examine their traffic at your leisure. This highlights the importance of SSL everywhere, and using SSH and OpenVPN. Though even these can be vulnerable, but it takes considerably more expertise than eavesdropping on unencrypted traffic.

Your spoofed IP addresses will not resolve to web sites, but will merely hang if you try to access the sites in a web browser. If you really want to act like a mad phisher, the next step is to build a fake web site to fool site visitors.

Detect Spoofing

The distributed nature of DNS means that DNS spoofing is impossible to implement on a large scale. The simplest test is to use dig to query multiple DNS servers and compare the results. This example queries an OpenDNS server:

$ dig +short @208.67.220.220 example2.com
10.11.12.13

It is good manners to use only public DNS servers and to not abuse private servers. Google’s public DNS is 8.8.8.8 and 8.8.4.4, and you can find many more with a quick web search.

Feed the Kitty

Dnsmasq has been chugging along for years now, while other name servers have come and gone. If you use it, send the maintainer, Simon Kelley, a few bucks because nothing says “thank you” for this excellent software like cash money.

Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.