^.^;

DNS Spoofing

Control their DNS. Redirect traffic to your infrastructure. They click, you own them. Poison DNS caches and hijack domains.

BeginnerPhase 1: Network AttacksInteractive Dual Perspective

What is DNS Spoofing?

DNS Spoofing (also called DNS cache poisoning) is an attack where fake DNS responses redirect users to malicious websites. When a victim types "bank.com", the attacker's fake DNS response sends them to a phishing site instead of the real bank.

Normal DNS Resolution:

1
User types "google.com"

Browser needs IP address

2
Query DNS server

"What's the IP for google.com?"

3
DNS responds

"google.com = 142.250.185.46"

4
Browser connects

User sees correct website

DNS Spoofing Attack

Attack Flow:

1
Attacker intercepts network

Via ARP spoofing or rogue WiFi AP

2
Victim sends DNS query

"What's the IP for bank.com?"

3
Attacker sends fake response FIRST

"bank.com = 192.168.1.666 (attacker's phishing site)"

4
Victim connects to fake site

Enters credentials, stolen by attacker

Key: The fake response arrives faster than the real DNS server's response. Victim's computer accepts the first answer.

DNS Attack Variants

Local DNS Spoofing:

Modify victim's hosts file or local DNS cache

DNS Cache Poisoning:

Inject fake records into DNS server's cache (affects many users)

DNS Hijacking:

Compromise router/DNS server to redirect all traffic

DNS Spoofing Tools

Attack Tools:

  • dnsspoof: Simple DNS response forging (Kali)
  • Bettercap: Modern framework with DNS module
  • Ettercap: DNS filter plugin for spoofing

Detection Tools:

  • DNSChef: DNS proxy for analysis
  • Wireshark: Inspect DNS traffic for anomalies
  • nslookup/dig: Verify DNS responses

Defense Strategies

DNSSEC: DNS Security Extensions cryptographically sign DNS responses
Use Trusted DNS: Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9)
DNS over HTTPS (DoH): Encrypt DNS queries via HTTPS
DNS over TLS (DoT): Encrypt DNS via TLS (port 853)
VPN: Routes all DNS through encrypted tunnel
Monitor DNS Traffic: Alert on unusual response patterns

Example Commands

dnsspoof (redirect google.com to attacker IP):
dnsspoof -i eth0 -f dns.hosts
Verify DNS response (check for spoofing):
nslookup bank.com 8.8.8.8
Flush DNS cache (Windows):
ipconfig /flushdns

DNS Spoofing Simulator

Redirect Traffic by Poisoning DNS Cache

/etc/ettercap/etter.dns

Step 1: Configure Target

Victim's DNS Cache

DomainResolved IPTTL
google.com172.217.168.0245s
ettercap 0.8.3.1
Kali Linux Rolling (kernel 6.5.0-kali3-amd64)
ettercap 0.8.3.1 copyright 2001-2023 The Ettercap Dev Team
DNS Spoofing Steps:
1. Edit Hosts File (Map Domain to IP)
2. Start Ettercap (DNS Plugin)
3. Victim Redirected to Fake Site
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.