This feature allows you to perform DNS spoofing attacks modifying DNS-Reply packets on the fly.


How it works

APR-DNS simply rewrites IP addresses in DNS-Reply packets. The sniffer extracts requested names from these packets and looks for an address association in the spoofing list. If there is a match, the packet is re-written using the relative spoofing IP address and then re-routed by APR engine. In this way the client that receives the spoofed reply is effectively redirected to the desired destination.


Only Type-A (Host Address) fields in DNS Reply packets are rewritten by the program. DNS compressed names are also supported. From more information on DNS protocol you can take a look at DNS RFCs.


This feature needs APR to be enabled and a Man-in-the-Middle condition between the DNS server and the victim host.


Because of the use of the Winpcap driver this feature cannot be used to rewrite DNS Replies destined to the local host. The Winpcap driver cannot not stop packets before they enter the local protocol stack so legitimate replies are always received from the local machine.


The list of requested names and relative spoofing IP addresses to be rewritten must be configured first. To add an entry to the APR-DNS list you can press the "Insert" button on the keyboard or click the icon with the blue + on the toolbar. You can enable/disable an entry using the check boxes in the first column. The "#Resp. Spoofed" column indicates the number of responses rewritten by the program for the specified DNS name.