STATION ID - 7047/3.12 3/4/98 9x Datakit Network FOR OFFICIAL USE ONLY This is a 9x system, restricted to authorized persons and for official 9x business only. Anyone using this system, network or data is subject to being monitored at any time for system administration and for identifying unauthorized users or system misuse. Anyone using this system expressly consents to such monitoring and is advised that any evidence of criminal activity revealed through such monitoring may be provided to law enforcement for prosecution. 9x How DNS Spoofing Really Works By: quiksilver About quiksilver: Well, I noticed all the other 9x member put on of these in, so I might as well to. I'm from New Jersey. 201 0wns. I don't have a degree in journalism or anything, so if you can't read this, well then that's life. If you need to talk to me, get on EFNet and join #9x. Greets: 9x members, c3l, AgntOrng, doomd, sed, Substance, T5-r, efpee, and the rest of you HPers out there. Sorry if I forgot anyone. NOTE: This article is just going to explain how DNS Spoofing works. DNS Spoofing DNS stands for Domain Name Server. Computers like to use numbers and people like to use names. DNS lets us use names address or addresses with numbers. A DNS Server is a computer is that has a NS daemon listening on udp port 53. Well, you may be saying "what's a udp port." UDP stands for User Datagram Protocl. Well, it would take me a while to explain this, and i think it is stated very well at http://ds.internic.net/rfc/rfc768.txt. Its basically a number it the range between 2 and 2^16 (65536 for you math wizes) which decides which program should get a udp packet upon reciept. You must have your domain name registered with internic in order to set it up. Internic basically maintains the domain name database. Internic also tells its "customers" who has authority over over the registered domain, and it also controls all the top-level dns servers. Think of top-level dns servers as .root-servers.net. Here is an example. Let's say that 1.1.1.1 wanted to resolve the address for 9x.org, and 1.1.1.1's name server is 2.2.2.2. So, 1.1.1.1 would ask 2.2.2.2 what the IP (internet protocol) for 9x.org was. 2.2.2.2 would find out who had the authority over 9x.org, of couse, 2.2.2.2 would have to ask internic. Internic may tell 2.2.2.2 that nameserver.9x.org has the authority over 9x.org. 2.2.2.2 would ask nameserver.9x.org what the IP for 9x.org was. Nameserver.9x.org may say the IP for 9x.org is 1.2.1.2. Then, the address may be resolved. Suppose we wanted to know the IP for 9x.org were again, 1.1.1.1 would ask 2.2.2.2. then, 2.2.2.2 would simply reply 1.2.1.2, and would not go through the above process. 2.2.2.2 does not really check wheather another nameserver replies to its query, and tells 1.1.1.1 what it was told, and this is why we can spoof. That was basically how DNS works, now I will explain how the spoofing works. Suppose nameserver.9x.org wants to cache its address to 3.3.3.3 on a remote nameserver of nameserver.nineX.net, and then connect to nineX.net with the host of 9x.nineX.net. Now, you find a program that finds dns queries and replies with false information. Nameserver.9x.org will tell nameserver.nineX.net that the reverse of 3.3.3.3 is 9x.nineX.net and the hostname of 3.3.3.3 is 9x.9x.org, remeber nameserver.9x.org has authority over 9x.org. Then, if you were to connect to nineX.net from 3.3.3.3 and nineX.net would ask namserver.nineX.net what the reverse was for 3.3.3.3. Because of the neato thing called cache, nameserver.nineX.net would respond 9x.nineX.net. Finally, you would be on namserver.nineX.net as 9x.nineX.net. NOTE: I had written this article a long while back. I patched it up a lot and added some more details. I think I might have posted it on USENET or sumtin, but oh well, read this one, its better.