Assignment Series #A1 dnsmasq

Spoofing Exercise

1. Task description

Sometimes a security analyst wants to redirect some or all of the IP addresses of a domain by replying with spoofed dns responses to a client dns request. For this purpose, you could use a fake DNS server that intentionally tells the client the wrong (redirection) IP. Of course this could also be done by modifying the /etc/hosts file, but the approach presented here is more generic. After learning howto configure dnsmasq to spoof any specific domain you’ve to answer the following questions:

Let’s assume you want to perform this dns spoofing within your corporate network (only for yourself, not for others). Adding the 8.8.8.8 Google dns upstream server would not work in a corporate network situation, assuming your firewall is blocking direct dns traffic.

1. What dns upstream server would make sense for you? What would you choose?
2. Explain how to configure wildcard spoofing for *.wikipedia.org in your spoofing.conf file. Any dns to something.wikipedia.org would being answered with 127.0.0.1

2. Answer and Solution

1. If direct DNS traffic is blocked, that I can’t use any public DNS Server like 8.8.8.8 (google) or 9.9.9.9 (quad9) I’d try to configure the internal one as dns upstream server and setting my local dns server settings to 127.0.0.1.

2. To configure wildcard spoofing for a domain I’ve to edit the /etc/dnsmasq.de/spoofing.config file.

   address=/.wikipedia.org/127.0.0.1`

   Testing if spoofing works for *.wikipedia.org: