DNS spoofing

DNS spoofing is applied to the dial-up network, as shown in Figure 36.

Figure 36: DNS spoofing application

The DNS proxy does not have the DNS server address or cannot reach the DNS server after startup. A host accesses the HTTP server in the following steps:

  1. The host sends a DNS request to the device to resolve the domain name of the HTTP server into an IP address.

  2. Upon receiving the request, the device searches the local static and dynamic DNS entries for a match. Because no match is found, the device spoofs the host by replying a configured IP address. The device must have a route to the IP address with the dial-up interface as the output interface.

    The IP address configured for DNS spoofing is not the actual IP address of the requested domain name. Therefore, the TTL field is set to 0 in the DNS reply. When the DNS client receives the reply, it creates a DNS entry and ages it out immediately.

  3. Upon receiving the reply, the host sends an HTTP request to the replied IP address.

  4. When forwarding the HTTP request through the dial-up interface, the device performs the following operations:

    • Establishes a dial-up connection with the network.

    • Dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism.

  5. Because the DNS entry ages out immediately upon creation, the host sends another DNS request to the device to resolve the HTTP server domain name.

  6. The device operates the same as a DNS proxy. For more information, see "DNS proxy."

  7. After obtaining the IP address of the HTTP server, the host can access the HTTP server.

Without DNS spoofing, the device forwards the DNS requests from the host to the DNS server if it cannot find a matching local DNS entry. However, the device cannot obtain the DNS server address, because no dial-up connection is established. Therefore, the device cannot forward or answer the requests from the client. DNS resolution fails, and the client cannot access the HTTP server.