Why do spoofed DNS packets get ignored?How can I tell if my ISP is redirecting my DNS queries?Dnsmasq running...
Precision notation for voltmeters
Why do we call complex numbers “numbers” but we don’t consider 2-vectors numbers?
I am the person who abides by rules but breaks the rules . Who am I
How to install "rounded" brake pads
Why do we say 'Pairwise Disjoint', rather than 'Disjoint'?
Was this cameo in Captain Marvel computer generated?
Can I challenge the interviewer to give me a proper technical feedback?
Does an unused member variable take up memory?
Rationale to prefer local variables over instance variables?
If nine coins are tossed, what is the probability that the number of heads is even?
How spaceships determine each other's mass in space?
Is this Paypal Github SDK reference really a dangerous site?
Giving a talk in my old university, how prominently should I tell students my salary?
Can multiple states demand income tax from an LLC?
PTIJ: Sport in the Torah
Should I file my taxes? No income, unemployed, but paid 2k in student loan interest
Why would /etc/passwd be used every time someone executes `ls -l` command?
How to write a chaotic neutral protagonist and prevent my readers from thinking they are evil?
Use Mercury as quenching liquid for swords?
What does it take to become a wilderness skills guide as a business?
Why restrict private health insurance?
A running toilet that stops itself
Was it really inappropriate to write a pull request for the company I interviewed with?
Paper published similar to PhD thesis
Why do spoofed DNS packets get ignored?
How can I tell if my ISP is redirecting my DNS queries?Dnsmasq running on raspberry pi will serve non-local DNS to ethernet but not wireless hostsWhy do DNS service discovery queries for private networks get sent to my ISP?How to block DNS from DHCP on OS X 10.9?ISP DNS conflicts with local DDNSPackets between a DNS recursive resolver and the authoritative servers: do they reveal the client?Role of the DNSDNS hijacking workaround while still using local DNS serverFilter DNS Forwarded responses with BindWhy DNS look up is UDP?
First off, let me clarify that this question refers to a private project that is intended for educational purpose only.
I tried to write my own "DNS spoofer". Don't worry, this question is not related to any coding practices.
The current setup
The operating machine is a MacBook (with OSX) in a local network (so there're some other unimportant devices as well).
There's a basic router that uses another machine (also in the local network) as local DNS server. Although this setup is a little unusual, it should not be the cause of the issue (described below).
The goal
DNS Spoofing - when the MacBook sends a DNS request, send an answer with a fake IP address.
My current approach
I use BPF (Berkeley Packet Filter) to get raw access to the data link layer.
Now, I'm listening for/capturing any queries on the Ethernet network interface of the MacBook (referred to as "MB" in the following part).
I disabled IPv6 on the MB.
I delete the DNS cache on the MB with the following commands:
sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
Procedure
- MB sends a DNS request with some queries
- I create a DNS response with the same queries and answers to all A-Type (IPv4) queries and send this response
- The MB receives to responses: my fake response first, then the real one sent by the real local DNS server
Each fake DNS response packet will include:
- the Ethernet MAC address of the requested DNS server as Ethernet source address
- the IP address of the requested DNS server as IP source address
- the port 53 as source port
- the port as destination port that the DNS request originated from
- a correct IP header checksum
- a correct UDP checksum
It won't include an Frame Check Sequence/Ethernet Checksum.
Each DNS response is sent over the same network interface I'm listening on.
Whenever a query is sent, there'll be two responses:
- the first one sent immediately by the "DNS spoofer", the 'fake' packet/DNS response, arrives before the second
- the second one, the 'real' DNS response, sent by the local DNS server.
I also assumed (although I'm not sure about this) that OSX always picks the first DNS response it gets to resolve a domain name to its IP address.
To sum this up; both DNS responses are equal except that the checksums and the DNS answer IP addresses are different. Also, the 'real' DNS server does not send (for what reason ever) an FCS (Frame Check Sequence). I do, although it is not calculated and just set to zero (zeroed-out).
Issue
OSX seems to ignore the fake DNS responses. Might also be that the OS is overstrained; the behaviour when using Safari to open a Website is the following:
When using Safari and typing "http://some-url.com" into the address bar, nothing happens. It does not connect to the real site nor does it connect to the fake page. The page seems to load forever. Sometimes, after a decade, it connects to the real page.
Example (captured with Wireshark)
A random example.
Request:
0000 b8 27 eb d9 a1 0f 68 4e 43 60 b7 f1 08 00 45 00
0010 00 63 54 a7 00 00 ff 11 81 63 c0 a8 b2 17 c0 a8 .cT§..ÿ..cÀ¨².À¨
0020 b2 16 ec ff 00 35 00 4f 41 84 cb c1 01 00 00 01 ².ìÿ.5.OA.ËÁ....
0030 00 00 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 .
.
Fake Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 ff
0010 00 00 54 a7 00 00 40 11 3f c8 c0 a8 b2 16 c0 a8 ..T§..@.?ÈÀ¨².À¨
0020 b2 17 00 35 ec ff 00 5f 3e 57 cb c1 81 80 00 01 ²..5ìÿ._>WËÁ....
0030 00 01 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 07 08 00 04 ac d9 17 .À...........¬Ù.
0080 8e 00 00 00 00 .....
Real Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 00
0010 00 93 76 8a 40 00 40 11 de 50 c0 a8 b2 16 c0 a8 ..v.@.@.ÞPÀ¨².À¨
0020 b2 17 00 35 ec ff 00 7f b2 2b cb c1 81 80 00 01 ²..5ìÿ..²+ËÁ....
0030 00 03 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 3b 34 .À........<..4;4
0080 47 c0 0c 00 01 00 01 00 00 00 3c 00 04 12 c2 cc GÀ........<...ÂÌ
0090 27 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 1d b8 'À........<..4.¸
00a0 98 .
Any help is highly appreciated. If you need more detail, let me know. If you'd like a bounty, let me know.
networking dns spoofing
|
show 4 more comments
First off, let me clarify that this question refers to a private project that is intended for educational purpose only.
I tried to write my own "DNS spoofer". Don't worry, this question is not related to any coding practices.
The current setup
The operating machine is a MacBook (with OSX) in a local network (so there're some other unimportant devices as well).
There's a basic router that uses another machine (also in the local network) as local DNS server. Although this setup is a little unusual, it should not be the cause of the issue (described below).
The goal
DNS Spoofing - when the MacBook sends a DNS request, send an answer with a fake IP address.
My current approach
I use BPF (Berkeley Packet Filter) to get raw access to the data link layer.
Now, I'm listening for/capturing any queries on the Ethernet network interface of the MacBook (referred to as "MB" in the following part).
I disabled IPv6 on the MB.
I delete the DNS cache on the MB with the following commands:
sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
Procedure
- MB sends a DNS request with some queries
- I create a DNS response with the same queries and answers to all A-Type (IPv4) queries and send this response
- The MB receives to responses: my fake response first, then the real one sent by the real local DNS server
Each fake DNS response packet will include:
- the Ethernet MAC address of the requested DNS server as Ethernet source address
- the IP address of the requested DNS server as IP source address
- the port 53 as source port
- the port as destination port that the DNS request originated from
- a correct IP header checksum
- a correct UDP checksum
It won't include an Frame Check Sequence/Ethernet Checksum.
Each DNS response is sent over the same network interface I'm listening on.
Whenever a query is sent, there'll be two responses:
- the first one sent immediately by the "DNS spoofer", the 'fake' packet/DNS response, arrives before the second
- the second one, the 'real' DNS response, sent by the local DNS server.
I also assumed (although I'm not sure about this) that OSX always picks the first DNS response it gets to resolve a domain name to its IP address.
To sum this up; both DNS responses are equal except that the checksums and the DNS answer IP addresses are different. Also, the 'real' DNS server does not send (for what reason ever) an FCS (Frame Check Sequence). I do, although it is not calculated and just set to zero (zeroed-out).
Issue
OSX seems to ignore the fake DNS responses. Might also be that the OS is overstrained; the behaviour when using Safari to open a Website is the following:
When using Safari and typing "http://some-url.com" into the address bar, nothing happens. It does not connect to the real site nor does it connect to the fake page. The page seems to load forever. Sometimes, after a decade, it connects to the real page.
Example (captured with Wireshark)
A random example.
Request:
0000 b8 27 eb d9 a1 0f 68 4e 43 60 b7 f1 08 00 45 00
0010 00 63 54 a7 00 00 ff 11 81 63 c0 a8 b2 17 c0 a8 .cT§..ÿ..cÀ¨².À¨
0020 b2 16 ec ff 00 35 00 4f 41 84 cb c1 01 00 00 01 ².ìÿ.5.OA.ËÁ....
0030 00 00 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 .
.
Fake Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 ff
0010 00 00 54 a7 00 00 40 11 3f c8 c0 a8 b2 16 c0 a8 ..T§..@.?ÈÀ¨².À¨
0020 b2 17 00 35 ec ff 00 5f 3e 57 cb c1 81 80 00 01 ²..5ìÿ._>WËÁ....
0030 00 01 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 07 08 00 04 ac d9 17 .À...........¬Ù.
0080 8e 00 00 00 00 .....
Real Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 00
0010 00 93 76 8a 40 00 40 11 de 50 c0 a8 b2 16 c0 a8 ..v.@.@.ÞPÀ¨².À¨
0020 b2 17 00 35 ec ff 00 7f b2 2b cb c1 81 80 00 01 ²..5ìÿ..²+ËÁ....
0030 00 03 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 3b 34 .À........<..4;4
0080 47 c0 0c 00 01 00 01 00 00 00 3c 00 04 12 c2 cc GÀ........<...ÂÌ
0090 27 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 1d b8 'À........<..4.¸
00a0 98 .
Any help is highly appreciated. If you need more detail, let me know. If you'd like a bounty, let me know.
networking dns spoofing
what do you mean "genuine IP address 999.999.999.999"?
– Attie
10 hours ago
"genuine" shall mean "real", "true", "original" IP address. 999.999.999.999 is not a real IP address, I didn't want to use a real one. @Attie Is that the reason for the downvote?
– T.Meyer
10 hours ago
I didn't down vote... but you've asked so many questions, gone into depth in weird places, and made so many murky statements that this is very hard to respond to in its current state -999.999.999.999
, "malicious", "Frame Check Sequence". etc... Try to cut out 80% of the content of your question, and focus on what your problem is, asking a single question if possible, and give examples.
– Attie
9 hours ago
Look into things like HSTS and DKIM to understand why this might not be working forfacebook.com
... try using a random / non-existent domain to base your tests on initially.
– Attie
9 hours ago
@T.Meyer this is the sort of thing you bring to a professor at a university, get an answer for an hour, and several pieces of homework just to address the questions in the original text. SuperUser is not the place to get the answers to this.
– Christopher Hostage
5 hours ago
|
show 4 more comments
First off, let me clarify that this question refers to a private project that is intended for educational purpose only.
I tried to write my own "DNS spoofer". Don't worry, this question is not related to any coding practices.
The current setup
The operating machine is a MacBook (with OSX) in a local network (so there're some other unimportant devices as well).
There's a basic router that uses another machine (also in the local network) as local DNS server. Although this setup is a little unusual, it should not be the cause of the issue (described below).
The goal
DNS Spoofing - when the MacBook sends a DNS request, send an answer with a fake IP address.
My current approach
I use BPF (Berkeley Packet Filter) to get raw access to the data link layer.
Now, I'm listening for/capturing any queries on the Ethernet network interface of the MacBook (referred to as "MB" in the following part).
I disabled IPv6 on the MB.
I delete the DNS cache on the MB with the following commands:
sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
Procedure
- MB sends a DNS request with some queries
- I create a DNS response with the same queries and answers to all A-Type (IPv4) queries and send this response
- The MB receives to responses: my fake response first, then the real one sent by the real local DNS server
Each fake DNS response packet will include:
- the Ethernet MAC address of the requested DNS server as Ethernet source address
- the IP address of the requested DNS server as IP source address
- the port 53 as source port
- the port as destination port that the DNS request originated from
- a correct IP header checksum
- a correct UDP checksum
It won't include an Frame Check Sequence/Ethernet Checksum.
Each DNS response is sent over the same network interface I'm listening on.
Whenever a query is sent, there'll be two responses:
- the first one sent immediately by the "DNS spoofer", the 'fake' packet/DNS response, arrives before the second
- the second one, the 'real' DNS response, sent by the local DNS server.
I also assumed (although I'm not sure about this) that OSX always picks the first DNS response it gets to resolve a domain name to its IP address.
To sum this up; both DNS responses are equal except that the checksums and the DNS answer IP addresses are different. Also, the 'real' DNS server does not send (for what reason ever) an FCS (Frame Check Sequence). I do, although it is not calculated and just set to zero (zeroed-out).
Issue
OSX seems to ignore the fake DNS responses. Might also be that the OS is overstrained; the behaviour when using Safari to open a Website is the following:
When using Safari and typing "http://some-url.com" into the address bar, nothing happens. It does not connect to the real site nor does it connect to the fake page. The page seems to load forever. Sometimes, after a decade, it connects to the real page.
Example (captured with Wireshark)
A random example.
Request:
0000 b8 27 eb d9 a1 0f 68 4e 43 60 b7 f1 08 00 45 00
0010 00 63 54 a7 00 00 ff 11 81 63 c0 a8 b2 17 c0 a8 .cT§..ÿ..cÀ¨².À¨
0020 b2 16 ec ff 00 35 00 4f 41 84 cb c1 01 00 00 01 ².ìÿ.5.OA.ËÁ....
0030 00 00 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 .
.
Fake Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 ff
0010 00 00 54 a7 00 00 40 11 3f c8 c0 a8 b2 16 c0 a8 ..T§..@.?ÈÀ¨².À¨
0020 b2 17 00 35 ec ff 00 5f 3e 57 cb c1 81 80 00 01 ²..5ìÿ._>WËÁ....
0030 00 01 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 07 08 00 04 ac d9 17 .À...........¬Ù.
0080 8e 00 00 00 00 .....
Real Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 00
0010 00 93 76 8a 40 00 40 11 de 50 c0 a8 b2 16 c0 a8 ..v.@.@.ÞPÀ¨².À¨
0020 b2 17 00 35 ec ff 00 7f b2 2b cb c1 81 80 00 01 ²..5ìÿ..²+ËÁ....
0030 00 03 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 3b 34 .À........<..4;4
0080 47 c0 0c 00 01 00 01 00 00 00 3c 00 04 12 c2 cc GÀ........<...ÂÌ
0090 27 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 1d b8 'À........<..4.¸
00a0 98 .
Any help is highly appreciated. If you need more detail, let me know. If you'd like a bounty, let me know.
networking dns spoofing
First off, let me clarify that this question refers to a private project that is intended for educational purpose only.
I tried to write my own "DNS spoofer". Don't worry, this question is not related to any coding practices.
The current setup
The operating machine is a MacBook (with OSX) in a local network (so there're some other unimportant devices as well).
There's a basic router that uses another machine (also in the local network) as local DNS server. Although this setup is a little unusual, it should not be the cause of the issue (described below).
The goal
DNS Spoofing - when the MacBook sends a DNS request, send an answer with a fake IP address.
My current approach
I use BPF (Berkeley Packet Filter) to get raw access to the data link layer.
Now, I'm listening for/capturing any queries on the Ethernet network interface of the MacBook (referred to as "MB" in the following part).
I disabled IPv6 on the MB.
I delete the DNS cache on the MB with the following commands:
sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache
Procedure
- MB sends a DNS request with some queries
- I create a DNS response with the same queries and answers to all A-Type (IPv4) queries and send this response
- The MB receives to responses: my fake response first, then the real one sent by the real local DNS server
Each fake DNS response packet will include:
- the Ethernet MAC address of the requested DNS server as Ethernet source address
- the IP address of the requested DNS server as IP source address
- the port 53 as source port
- the port as destination port that the DNS request originated from
- a correct IP header checksum
- a correct UDP checksum
It won't include an Frame Check Sequence/Ethernet Checksum.
Each DNS response is sent over the same network interface I'm listening on.
Whenever a query is sent, there'll be two responses:
- the first one sent immediately by the "DNS spoofer", the 'fake' packet/DNS response, arrives before the second
- the second one, the 'real' DNS response, sent by the local DNS server.
I also assumed (although I'm not sure about this) that OSX always picks the first DNS response it gets to resolve a domain name to its IP address.
To sum this up; both DNS responses are equal except that the checksums and the DNS answer IP addresses are different. Also, the 'real' DNS server does not send (for what reason ever) an FCS (Frame Check Sequence). I do, although it is not calculated and just set to zero (zeroed-out).
Issue
OSX seems to ignore the fake DNS responses. Might also be that the OS is overstrained; the behaviour when using Safari to open a Website is the following:
When using Safari and typing "http://some-url.com" into the address bar, nothing happens. It does not connect to the real site nor does it connect to the fake page. The page seems to load forever. Sometimes, after a decade, it connects to the real page.
Example (captured with Wireshark)
A random example.
Request:
0000 b8 27 eb d9 a1 0f 68 4e 43 60 b7 f1 08 00 45 00
0010 00 63 54 a7 00 00 ff 11 81 63 c0 a8 b2 17 c0 a8 .cT§..ÿ..cÀ¨².À¨
0020 b2 16 ec ff 00 35 00 4f 41 84 cb c1 01 00 00 01 ².ìÿ.5.OA.ËÁ....
0030 00 00 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 .
.
Fake Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 ff
0010 00 00 54 a7 00 00 40 11 3f c8 c0 a8 b2 16 c0 a8 ..T§..@.?ÈÀ¨².À¨
0020 b2 17 00 35 ec ff 00 5f 3e 57 cb c1 81 80 00 01 ²..5ìÿ._>WËÁ....
0030 00 01 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 07 08 00 04 ac d9 17 .À...........¬Ù.
0080 8e 00 00 00 00 .....
Real Response:
0000 68 4e 43 60 b7 f1 b8 27 eb d9 a1 0f 08 00 45 00
0010 00 93 76 8a 40 00 40 11 de 50 c0 a8 b2 16 c0 a8 ..v.@.@.ÞPÀ¨².À¨
0020 b2 17 00 35 ec ff 00 7f b2 2b cb c1 81 80 00 01 ²..5ìÿ..²+ËÁ....
0030 00 03 00 00 00 00 16 63 6f 72 65 2d 62 6f 77 74 .......core-bowt
0040 69 65 2d 31 38 34 32 36 36 33 33 38 38 0c 65 75 ie-1842663388.eu
0050 2d 63 65 6e 74 72 61 6c 2d 31 03 65 6c 62 09 61 -central-1.elb.a
0060 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 mazonaws.com....
0070 01 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 3b 34 .À........<..4;4
0080 47 c0 0c 00 01 00 01 00 00 00 3c 00 04 12 c2 cc GÀ........<...ÂÌ
0090 27 c0 0c 00 01 00 01 00 00 00 3c 00 04 34 1d b8 'À........<..4.¸
00a0 98 .
Any help is highly appreciated. If you need more detail, let me know. If you'd like a bounty, let me know.
networking dns spoofing
networking dns spoofing
edited 5 hours ago
T.Meyer
asked 10 hours ago
T.MeyerT.Meyer
1195
1195
what do you mean "genuine IP address 999.999.999.999"?
– Attie
10 hours ago
"genuine" shall mean "real", "true", "original" IP address. 999.999.999.999 is not a real IP address, I didn't want to use a real one. @Attie Is that the reason for the downvote?
– T.Meyer
10 hours ago
I didn't down vote... but you've asked so many questions, gone into depth in weird places, and made so many murky statements that this is very hard to respond to in its current state -999.999.999.999
, "malicious", "Frame Check Sequence". etc... Try to cut out 80% of the content of your question, and focus on what your problem is, asking a single question if possible, and give examples.
– Attie
9 hours ago
Look into things like HSTS and DKIM to understand why this might not be working forfacebook.com
... try using a random / non-existent domain to base your tests on initially.
– Attie
9 hours ago
@T.Meyer this is the sort of thing you bring to a professor at a university, get an answer for an hour, and several pieces of homework just to address the questions in the original text. SuperUser is not the place to get the answers to this.
– Christopher Hostage
5 hours ago
|
show 4 more comments
what do you mean "genuine IP address 999.999.999.999"?
– Attie
10 hours ago
"genuine" shall mean "real", "true", "original" IP address. 999.999.999.999 is not a real IP address, I didn't want to use a real one. @Attie Is that the reason for the downvote?
– T.Meyer
10 hours ago
I didn't down vote... but you've asked so many questions, gone into depth in weird places, and made so many murky statements that this is very hard to respond to in its current state -999.999.999.999
, "malicious", "Frame Check Sequence". etc... Try to cut out 80% of the content of your question, and focus on what your problem is, asking a single question if possible, and give examples.
– Attie
9 hours ago
Look into things like HSTS and DKIM to understand why this might not be working forfacebook.com
... try using a random / non-existent domain to base your tests on initially.
– Attie
9 hours ago
@T.Meyer this is the sort of thing you bring to a professor at a university, get an answer for an hour, and several pieces of homework just to address the questions in the original text. SuperUser is not the place to get the answers to this.
– Christopher Hostage
5 hours ago
what do you mean "genuine IP address 999.999.999.999"?
– Attie
10 hours ago
what do you mean "genuine IP address 999.999.999.999"?
– Attie
10 hours ago
"genuine" shall mean "real", "true", "original" IP address. 999.999.999.999 is not a real IP address, I didn't want to use a real one. @Attie Is that the reason for the downvote?
– T.Meyer
10 hours ago
"genuine" shall mean "real", "true", "original" IP address. 999.999.999.999 is not a real IP address, I didn't want to use a real one. @Attie Is that the reason for the downvote?
– T.Meyer
10 hours ago
I didn't down vote... but you've asked so many questions, gone into depth in weird places, and made so many murky statements that this is very hard to respond to in its current state -
999.999.999.999
, "malicious", "Frame Check Sequence". etc... Try to cut out 80% of the content of your question, and focus on what your problem is, asking a single question if possible, and give examples.– Attie
9 hours ago
I didn't down vote... but you've asked so many questions, gone into depth in weird places, and made so many murky statements that this is very hard to respond to in its current state -
999.999.999.999
, "malicious", "Frame Check Sequence". etc... Try to cut out 80% of the content of your question, and focus on what your problem is, asking a single question if possible, and give examples.– Attie
9 hours ago
Look into things like HSTS and DKIM to understand why this might not be working for
facebook.com
... try using a random / non-existent domain to base your tests on initially.– Attie
9 hours ago
Look into things like HSTS and DKIM to understand why this might not be working for
facebook.com
... try using a random / non-existent domain to base your tests on initially.– Attie
9 hours ago
@T.Meyer this is the sort of thing you bring to a professor at a university, get an answer for an hour, and several pieces of homework just to address the questions in the original text. SuperUser is not the place to get the answers to this.
– Christopher Hostage
5 hours ago
@T.Meyer this is the sort of thing you bring to a professor at a university, get an answer for an hour, and several pieces of homework just to address the questions in the original text. SuperUser is not the place to get the answers to this.
– Christopher Hostage
5 hours ago
|
show 4 more comments
1 Answer
1
active
oldest
votes
First, Ethernet frames always have FCSes on the wire, but not all Ethernet NICs keep the FCS attached when they pass the received frame up to the host, which means your sniffer can't always see the FCS or know if it was valid or invalid.
So you need to get your FCSes right.
If you don't know for a fact that the version of BPF on your injector/spoofer device's platform, or its NIC driver or hardware, is going to calculate the correct FCS for you if omit it or pad it with zeroes, then you probably have to figure that out first. My guess is that it will NOT fix it for you if you try to inject a packet without it set correctly, so you will probably need to calculate it yourself and insert the correct value at the end of your packet buffer before doing your bpf_write().
Second, I'm just eyeballing your hex dumps, but if I'm mentally decoding it correctly, your DiffServ field looks bogus. Default it to 0x00 instead of 0xff if you don't know what to do with it.
Third, your IP total length field looks bogus (zero). You probably need to calculate it and set it correctly. Be sure to do that before calculating your checksums.
Nothing else jumps out at me. So if I were you, I'd fix those three problems and try again.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1412460%2fwhy-do-spoofed-dns-packets-get-ignored%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
First, Ethernet frames always have FCSes on the wire, but not all Ethernet NICs keep the FCS attached when they pass the received frame up to the host, which means your sniffer can't always see the FCS or know if it was valid or invalid.
So you need to get your FCSes right.
If you don't know for a fact that the version of BPF on your injector/spoofer device's platform, or its NIC driver or hardware, is going to calculate the correct FCS for you if omit it or pad it with zeroes, then you probably have to figure that out first. My guess is that it will NOT fix it for you if you try to inject a packet without it set correctly, so you will probably need to calculate it yourself and insert the correct value at the end of your packet buffer before doing your bpf_write().
Second, I'm just eyeballing your hex dumps, but if I'm mentally decoding it correctly, your DiffServ field looks bogus. Default it to 0x00 instead of 0xff if you don't know what to do with it.
Third, your IP total length field looks bogus (zero). You probably need to calculate it and set it correctly. Be sure to do that before calculating your checksums.
Nothing else jumps out at me. So if I were you, I'd fix those three problems and try again.
add a comment |
First, Ethernet frames always have FCSes on the wire, but not all Ethernet NICs keep the FCS attached when they pass the received frame up to the host, which means your sniffer can't always see the FCS or know if it was valid or invalid.
So you need to get your FCSes right.
If you don't know for a fact that the version of BPF on your injector/spoofer device's platform, or its NIC driver or hardware, is going to calculate the correct FCS for you if omit it or pad it with zeroes, then you probably have to figure that out first. My guess is that it will NOT fix it for you if you try to inject a packet without it set correctly, so you will probably need to calculate it yourself and insert the correct value at the end of your packet buffer before doing your bpf_write().
Second, I'm just eyeballing your hex dumps, but if I'm mentally decoding it correctly, your DiffServ field looks bogus. Default it to 0x00 instead of 0xff if you don't know what to do with it.
Third, your IP total length field looks bogus (zero). You probably need to calculate it and set it correctly. Be sure to do that before calculating your checksums.
Nothing else jumps out at me. So if I were you, I'd fix those three problems and try again.
add a comment |
First, Ethernet frames always have FCSes on the wire, but not all Ethernet NICs keep the FCS attached when they pass the received frame up to the host, which means your sniffer can't always see the FCS or know if it was valid or invalid.
So you need to get your FCSes right.
If you don't know for a fact that the version of BPF on your injector/spoofer device's platform, or its NIC driver or hardware, is going to calculate the correct FCS for you if omit it or pad it with zeroes, then you probably have to figure that out first. My guess is that it will NOT fix it for you if you try to inject a packet without it set correctly, so you will probably need to calculate it yourself and insert the correct value at the end of your packet buffer before doing your bpf_write().
Second, I'm just eyeballing your hex dumps, but if I'm mentally decoding it correctly, your DiffServ field looks bogus. Default it to 0x00 instead of 0xff if you don't know what to do with it.
Third, your IP total length field looks bogus (zero). You probably need to calculate it and set it correctly. Be sure to do that before calculating your checksums.
Nothing else jumps out at me. So if I were you, I'd fix those three problems and try again.
First, Ethernet frames always have FCSes on the wire, but not all Ethernet NICs keep the FCS attached when they pass the received frame up to the host, which means your sniffer can't always see the FCS or know if it was valid or invalid.
So you need to get your FCSes right.
If you don't know for a fact that the version of BPF on your injector/spoofer device's platform, or its NIC driver or hardware, is going to calculate the correct FCS for you if omit it or pad it with zeroes, then you probably have to figure that out first. My guess is that it will NOT fix it for you if you try to inject a packet without it set correctly, so you will probably need to calculate it yourself and insert the correct value at the end of your packet buffer before doing your bpf_write().
Second, I'm just eyeballing your hex dumps, but if I'm mentally decoding it correctly, your DiffServ field looks bogus. Default it to 0x00 instead of 0xff if you don't know what to do with it.
Third, your IP total length field looks bogus (zero). You probably need to calculate it and set it correctly. Be sure to do that before calculating your checksums.
Nothing else jumps out at me. So if I were you, I'd fix those three problems and try again.
answered 2 hours ago
SpiffSpiff
77.8k10118163
77.8k10118163
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1412460%2fwhy-do-spoofed-dns-packets-get-ignored%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
what do you mean "genuine IP address 999.999.999.999"?
– Attie
10 hours ago
"genuine" shall mean "real", "true", "original" IP address. 999.999.999.999 is not a real IP address, I didn't want to use a real one. @Attie Is that the reason for the downvote?
– T.Meyer
10 hours ago
I didn't down vote... but you've asked so many questions, gone into depth in weird places, and made so many murky statements that this is very hard to respond to in its current state -
999.999.999.999
, "malicious", "Frame Check Sequence". etc... Try to cut out 80% of the content of your question, and focus on what your problem is, asking a single question if possible, and give examples.– Attie
9 hours ago
Look into things like HSTS and DKIM to understand why this might not be working for
facebook.com
... try using a random / non-existent domain to base your tests on initially.– Attie
9 hours ago
@T.Meyer this is the sort of thing you bring to a professor at a university, get an answer for an hour, and several pieces of homework just to address the questions in the original text. SuperUser is not the place to get the answers to this.
– Christopher Hostage
5 hours ago