Local DNS Attack

In this lab, our goal is to attack a local DNS server. We will first set up an environment with the following two machines.

User (it432a)
Attacker (it432c)

Then, with our attacks, we will change the IP address of the domain info.cern.ch:

Before attack

The picture below shows the real page of http://info.cern.ch with Firefox on the user machine (it432a).

After attack

The picture below shows a fake page of http://info.cern.ch with Firefox on the user machine (it432a). It actually shows the web content of the attacker's web server.

Now, let's start with setting up the environment.

[10pts] Part 1: Disabling DNSSEC and Checking a Real Webpage

On the user machine (it432a), change the setting of Firefox as follows:

Disable IPv6. As shown the picture below, go to about:config and set the IPv6 related options accordingly.
Disable secure DNS. This time go to about:preferences and change the setting. In particular, turn off the option "enable secure DNS using:". This is a very powerful security measure to check the authenticity of the DNS server. Our attack won't work with this option.
Also disable the HTTPS-only option. In the preferences, search for "HTTPS".
After setting the options, use Firefox and go to http://info.cern.ch.

Submit

In the lab report:

Give a screen capture of the webpage http://info.cern.ch.
Run the following command and give its result in the report:
```
dig info.cern.ch
```

[10pts] Part 2: Setting Up the User Host (it432a)

We need to set up the user machine it432a so that its local DNS server is it432b. In particular, in it432a, perform the following steps.

In a terminal, execute the following command.
```
sudo nmcli con edit "Wired connection 1" 
```

In the interactive shell of nmcli, run the following commands one-by-one.

print
set ipv4.ignore-auto-dns yes
set ipv4.dns 192.168.172.5
save 
quit

In a terminal, execute the following command.
```
sudo service NetworkManager restart
```

Submit

To check whether this configuration is successful, run the following command in a terminal:

nmcli dev show | grep DNS

Give the results of the above command in the lab report to show that your work is successful.

[15pts] Part 3: Setting Up the Local DNS Server (it432b)

In it432b, we will install and set up bind9 program for the DNS service.

Install bind9:
```
sudo apt update
sudo apt install bind9
```

Change /etc/bind/named.conf.options as follows:

Comment out: // dns-validation auto; to turn off DNSSEC.
Add
```
dump-file "/var/cache/bind/dump.db";
```
to specify the file to dump the DNS cache.
Add
```
dns-validation no;
```
to turn off DNSSEC.

The file should look like as follows:

options {
        directory "/var/cache/bind";

        // ...(omitted) ...

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        
        // dnssec-validation auto;
        dump-file "/var/cache/bind/dump.db";
        dnssec-validation no;
        listen-on-v6 { any; };
};

After editing the file, run the following command to check if there is any error in the configuration file you changed:

named-checkconf

Flush the DNS cache and retart the DNS server.

sudo rndc dumpdb -cache
sudo rndc flush
sudo service bind9 restart

Power of the firewall at USNA

The firewall filters out all outgoing DNS requests. Try the following:

In it432a, run the following commands and make sure they work all fine:
```
dig info.cern.ch
```

You will see a timeout error. Host4 sent a DNS request to it432b, and it432b sent a DNS request to the root DNS server, but the reply will never come back.

Submit

Run the above dig command from it432a and show that it times out.

[40pts] Part 4: Spoofing the DNS Response to User

In this part, you (as an attacker) are supposed to create and send a fake DNS answer to the user's DNS requests. In particular,

In the attacker machine (i.e., it432c), sniff DNS requests from the user machine (i.e., it432a).
Given a DNS request from the user machine, create a fake response to the following domain name:
```
 info.cern.ch 
```
The actual IP address is 188.184.21.108, but set the IP address in your fake response to the following:
```
 192.168.172.6 
```
Note that this is the IP address of the attacker machine (i.e., it432c).

The execution result in it432a should look as follows:

it432a

choi@it432a:~$ sudo systemd-resolve --flush-cache
choi@it432a:~$ dig info.cern.ch

; <<>> DiG 9.16.1-Ubuntu <<>> info.cern.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2294
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;info.cern.ch.			IN	A

;; ANSWER SECTION:
info.cern.ch.		86400	IN	A	192.168.172.6

;; Query time: 71 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Aug 06 03:03:41 EDT 2022
;; MSG SIZE  rcvd: 57

Notes

The first command flushes the cache that dig uses. It will be helpful to flush it before running dig command. You will have trial and errors.
(Important) Start with the DNS sniffing code in the lecture on DNS. Now, instead of having the function (specified with prn argument) print the packet, your function has to craft and send a fake packet. The general code flow should be as follows:
```
def spoof(pkt): 
  ip = IP(...)
  udp = UDP(...)
  dns = DNS(...)
  pkt = ip/udp/dns
  send(pkt)
```
You will have to use as much information from pkt as possible to craft the packet successfully.
(Tip) For the sake of debugging, it may be helpful to print out some of the packet contents in the spoof function.

Submit

Your sniff-and-spoof code (as a separate file from the lab report).
Explain your sniff-and-spoof code in terms of how your code responds to it432a.
In the lab report, add the screen capture the results of the all the above commands to show that your work is successful.

[10pts] Part 5: Showing a Fake Webpage in a Web Browser

In the attacker machine (it432c):
- Install a web-server by running the following command:
```
sudo apt update
sudo apt install apache2
```
- Keeping running your sniff-and-spoof code.
In the user machine (it432a):
- Flush the dns resolver cache.
```
 sudo systemd-resolve --flush-cache
```
- With Firefox, go to http://info.cern.ch. (You probably need to refresh the page.)

Submit

In the lab report:

Show that Firefox pulls up a fake webpage.

[15pts] Part 6: Lab Report and Submission

Write a lab report by using the provided template (check the lab ground rules). The writing quality of the lab report matters.
- Convince the instructor that you actually performed all the work. Explain the process.
- Convince the instructor that you know what you're doing. Explain what you did and why you did it.
- Convince the instructor that your work is all successful. Add screenshots or logs as necessary.
Also submit your sniff-and-spoof programs.

~/bin/submit -c=IT432 -p=lab03 lab03_report.doc *.py

Recovering to the original setup

In it432a, perform the following steps.

In a terminal, execute the following command.
```
sudo nmcli con edit "Wired connection 1" 
```
In the interactive shell of nmcli, run the following commands one-by-one.
```
print
set ipv4.ignore-auto-dns no
set ipv4.dns 
save 
quit
```
In a terminal, execute the following command.
```
sudo service NetworkManager restart
```