This document describes a lab on DNS concepts. Students will use nslookup to query DNS records, examine DNS queries and responses with Scapy, and write Python code to spoof DNS queries. The lab also involves setting up a DNS server with BIND to resolve names for docker containers on the local network.
This document describes a lab on DNS concepts. Students will use nslookup to query DNS records, examine DNS queries and responses with Scapy, and write Python code to spoof DNS queries. The lab also involves setting up a DNS server with BIND to resolve names for docker containers on the local network.
This document describes a lab on DNS concepts. Students will use nslookup to query DNS records, examine DNS queries and responses with Scapy, and write Python code to spoof DNS queries. The lab also involves setting up a DNS server with BIND to resolve names for docker containers on the local network.
This document describes a lab on DNS concepts. Students will use nslookup to query DNS records, examine DNS queries and responses with Scapy, and write Python code to spoof DNS queries. The lab also involves setting up a DNS server with BIND to resolve names for docker containers on the local network.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 3
Lab 08: DNS
1. Overview In this lab, students will explore several aspects of DNS by doing some experiments with nslookup, exploring the DNS request/response messages with scapy and coding to spoof DNS queries. Students will dig deeply into the configuration of DNS server with zone files, resource record declarations and at last, configuration at the client side make the resolver use the local DNS correctly.
2. Objectives This lab aims to provide students with ability:
a) To use nslookup to check various DNS record types.
b) To explore DNS Query & Response messages with scapy. c) To write python program demonstrating DNS spoofing. d) Config to run a docker container as a DNS server which enables access by name to any other container in the docker-container set.
3. Lab Environment preparation
a) The nslookup tasks can be conducted on the host machine with Wireshark installed. b) Task to explore the DNS Query and Response messages can be conducted with the Hftpd- slim docker container set.
Important notes:
On some systems the apache-server container might fail to start because of different ways that newline character is encoded in script file. When that happen, please follow the steps below to fix:
o Open file run.sh in folder apache\Dockerfiles in VSCode.
o Click CRLF on the status bar, choose LF to change the way newline is encoded. o Save file. o Rebuilt the new image with docker-compose build.
To enable sniffing then to display the packet fields, remember to modify the iface parameter with correct interface name in sniffer-host.
4. Tasks 4.1. nslookup
Refer to this link for checking various DNS record types with examples: How to Use Nslookup Windows Command (11 Examples) - Active Directory Pro And this link for 10 popular nslookup uses: https://www.cloudns.net/blog/10-most-used-nslookup-commands/ a. On your host machine, start nslookup, what is the IP address of the default DNS server? At nslookup prompt, get the ip address of Microsoft.com, google.com, hcmute.edu.vn, . . . b. Command nslookup -type=<type> <domain> get the information about a particular domain. Where <type> can be replaced with MX (email exchange server), NS (name server), SOA (Start of Authority), Any (Everything) … Make use of the above nslookup command, get information about the name server (NS), mail server (MX), SOA of domain hcmute.edu.vn, hcmut.edu.vn. Give your comments about what you have observed. c. Try nslookup -type=any vietnamnet.vn, explain what you have observed.
4.2 Examine DNS Query and Response message:
To do this task, students must read the document that came along with this lab “DNS message – How to read query and response message” or follow this link. a. Attach to the console of client-host container. b. Install scapy: # apk add scapy c. Start scapy. d. Execute ls(DNS), ls(DNSQR), ls(DNSRR) to identify fields of DNS, DNSQR (DNS Query Record), DNSRR (DNS Resource Record) packets. e. We will pack a DNS query to google for the Resource Records belonging to a particular domain, namely www.google.com (you are free to choose any other domain name for the query) >>> ip = IP(dst=‘8.8.8.8’) >>> udp = UDP(dport=53) >>> dns=DNS(rd=1,qd=DNSQR(qname="www.google.com")) >>> qry=ip/udp/dns >>> qry <IP frag=0 proto=udp dst=8.8.8.8 |<UDP sport=domain dport=domain |<DNS rd=1 qd=<DNSQR qname='www.google.com' |> |>>> The Query then being sent with sr1 function (send/receive one) >>> an=sr1(qry) Begin emission: Finished sending 1 packets. ..* Received 3 packets, got 1 answers, remaining 0 packets Print out Response message: >>> an <IP version=4 ihl=5 tos=0x0 len=76 id=58717 flags=DF frag=0 ttl=63 proto=udp chksum=0x8fbf src=8.8.8.8 dst=172.16.10.100 |<UDP sport=domain dport=domain len=56 chksum=0xc6cd |<DNS id=0 qr=1 opcode=QUERY aa=0 tc=0 rd=1 ra=1 z=0 ad=0 cd=0 rcode=ok qdcount=1 ancount=1 nscount=0 arcount=0 qd=<DNSQR qname='www.google.com.' qtype=A qclass=IN |> an=<DNSRR rrname='www.google.com.' type=A rclass=IN ttl=231 rdlen=None rdata=142.251.42.228 |> ns=None ar=None |>>>
f. Replace qtype field in DNSQR layer with other resource record, namely NS >>> qry[DNSQR].qtype=’NS’ then resend the new DNS Query >>> an = sr1(qry) What do you observe in the DNS response message? Give your comments. g. Set qname field in DNSQR layer with other domain values, namely hcmute.edu.vn, vietnamnet.vn then resend those messages. Give your comment about the response messages. 4.3. Writing code to display the DNS Query, DNS Response
Carefully look at the DNS message fields, add code to the sniff3.py program to print out the DNS Query as well as DNS Response as below:
For DNSQR with qname=’www.google.com’, output from sniff3.py should be:
IP: 172.16.10.100 --> 8.8.8.8 UDP port: 53 --> 53 DNS query name=b'www.google.com.' IP: 8.8.8.8 --> 172.16.10.100 UDP port: 53 --> 53 DNS answer: 142.251.43.4 For DNSQR with qname=’vietnamnet.vn’, output from sniff3.py should be: IP: 172.16.10.100 --> 192.168.65.7 UDP port: 53243 --> 53 DNS query name=b'vietnamnet.vn.' IP: 172.16.10.100 --> 192.168.65.7 UDP port: 50929 --> 53 DNS query name=b'vietnamnet.vn.' IP: 192.168.65.7 --> 172.16.10.100 UDP port: 53 --> 53243 DNS answer: 202.134.19.38 202.134.19.16 202.134.19.181 202.134.19.135 202.134.19.64
4.4. DNS spoofing with scapy
DNS spoofing is a type of cyberattack that exploits the Domain Name System. The attacker intercepts DNS queries and sends fake responses that redirect the victim to a malicious website.
For this task, the sniffing-host will send responses with spoof IP Address of the apache-server container whenever it gets DNS Queries from client-host.
Write dns_spoof.py program to demonstrate this: any web access from client-host will be redirected to the apache-server home page.
4.5. Setup DNS server for the whole docker-container Hftpd-slim domain
To accomplish this task, students must read, but not limited to this article and the coming along document.
You will learn how to configure a DNS server on an Ubuntu Linux container. You will use the BIND software to set up a DNS server and create some zone files for your own docker-container set domain. You will also test your DNS server by querying it from another machine. This task will help you understand how DNS works and how to troubleshoot common DNS issues.
