DNS Cache Poisoning Attack Demo
===============================
This project is to investigate and reproduce the DNS Cache Poisoning Attack within an isolated network environment using docker. The demo shows an adversary to spoof the DNS answer of google.com and direct to the adversary's malicious IP address.
Quickstart
Prerequisities
You will need Docker and Docker Compose installed for this project.
Build
docker-compose build
docker-compose up
Upon running, the DNS resolver and upstream DNS server will start listening on port 53.
Attack
attacker
1. Into the container docker exec -it attacker bash
2. Launch the attack script
python attack.py google.com 10.0.0.4
3. Impact
As the output of the container dns
shows, a fake DNS record has been successfully written into cache. It can be verified by using dig in the victim's container.
First get into victim
's container:
docker exec -it victim bash
In the container:
dig google.com
It shows that in the answer section, the record is pointing to the adversary's IP address (10.0.0.4).
Debriefing
Project Architecture
Four containers are used in this project:
DNS
(10.0.0.2
): A vulnerable DNS resolver
Victim
(10.0.0.3
): A victim host for proving the attack
Attacker
(10.0.0.4
): The adversary who will launch the attack
Upstream DNS
(10.0.0.5
): Plays the role of an upstream DNS server
10.0.0.2
)
DNS Cache Server (This is a simple DNS resolver developed to fully examine the attack process. It first looks at the cache stored and returns the cache if there is. Otherwise, it will forward the request to the upstream DNS server, waiting for responses.
As the objective of this project is only to investigate the attack itself, the Query ID (QID) for requesting is always set to range from 10000 to 10050, and the source port is fixed to 22222 to avoid launching a birthday attack, which is not the goal of this project.
Once received the response, it will validate if two QIDs match and then send the answer to the client.
10.0.0.5
)
Upstream DNS (A local authoritative DNS is set up to take the place of upstream DNS servers to always respond DNS requests with IP 1.2.3.4
10.0.0.4
)
Attacker (The adversary first sends a DNS query to the DNS cache server (10.0.0.2
), so the server will send a DNS request to the upstream server and begin accepting responses. Then it sends DNS answers trying all possible QID from the destination impersonating the upstream server (10.0.0.5
) to the cache server (10.0.0.2
).
An attack script (/attacker/attack.py
) is thereby created.
Usage:
python attack.py [target domain] [spoofed IP]
License
This was initially developed for CS 4404 Network Security B20 as a part of Mission 2 for Team 13 and is licensed under the MIT License. However, you may NOT directly use this repository if you are taking the same course as a student as per Academic Integrity Policy.