In a corperate network DnsSpoof can be used to efficiently point clients to internal machines instead on externally mounted ones. Or, it can be used to keep clients from going to certain host names that are not allowed by policy rules.
A really good use of DnsSpoof is to redirect lan clients to an internal server through a DNS query instead of using routing or firewall rules. Lets say you have a web server and it has two interfaces. Once interface is on the outside of the LAN called web.com and one interface is on the inside called web.internal.lan. The ip for web.internal.lan is 10.10.10.1. Many of your users just want to use the external name web.com because it is easy to type and they do not have to remember to use one name on the inside and on on the outside. This is where DnsSpoof comes in. You want your user to use the internal name because the LAN is a lot faster than the external network or you might have to pay for the bandwidth.
You can use the DnsSpoof damon to intercept queries from the lan clients for web.com and respond with the ip address for web.internal.lan (10.10.10.1). The best part is DnsSpoof will only intercept host names you configure the daemon to look for. All other queries go right to your internal DNS server like normal.
You could also setup DnsSpoof to stop clients from going to any hostname you choose. Lets say you have a policy that restricts your users from going to monster.com for one reason or another. You could setup a script to resolve all of the ip addresses accociated with the hostname, but those may change unexpectedly. You can simply tell DnsSpoof to respond to any query to monster.com with another ip like localhost.
Getting Started
First, you must install DnsSpoof on the dns server. DnsSpoof is part of a collection in the "dsniff" collection. dsniff is a set of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.You should be able to find packages for "dsniff" for your distribution or you can simply download the dsniff source from monkey.org.
Once dsniff is in place and dnsspoof is installed we need to setup the config file that will tell the daemon how to act. In the following /etc/dnsspoof.conf file you can see the two examples we talked about before. We are going to send any query for web.com to the internal web server interface 10.10.10.1 and monster.com to localhost (127.0.0.1). You can have as many listing as you need.
Here is an example /etc/dnsspoof.conf configuration file. When dnsspoof sees the host name listed here it will send the ip address back to the client.
## Calomel.org - /etc/dnsspoof.conf 10.10.10.1 web.com 127.0.0.1 monster.com
Starting the DnsSpoof daemon
The dnsspoof deamon will be running on the internal dns server in our example. The DNS server, bind for example, is listening on port 53. DnsSpoof does not listen on a port, but instead listens to the traffic coming in on the currently used bind port 53. If a query comes in that dnsspoof needs to respond to it intercepts the stream and responds to the LAN client with the answer by itself. Bind is never included in the conversation.To start DnsSpoof use the following line. You can also put this line into the /etc/rc.local to start the daemon on boot.
/usr/sbin/dnsspoof -f /etc/dnsspoof.conf
HELPFUL HINT: Check out our DNS Verify (ip to hostname to ip) script. It will help you verify your hostnames match your ip addresses and spot any problems in name resolution.
No comments:
Post a Comment