Fixing DNS Poisoning and Hijacking Using Non-Standard DNS Ports

OS: Ubuntu 12.04 LTS

Software: dnsmasq

DNS Test:

  1. dig www.facebook.com @8.8.8.8 +short
  2. 37.61.54.158

On the Wikipedia page DNS cache poisoning, you can find that 37.61.54.158 is among the fake IP addresses, indicating that this DNS has been poisoned.

  1. dig www.facebook.com @208.67.222.222 p 443
  2. 31.13.79.49

31.13.79.49 is the correct address for Facebook. Google’s DNS service does not support queries on non-standard ports, but OpenDNS does. Its IP addresses are 208.67.222.222 and 208.67.222.220, and it supports ports 443 and 5353.

In Ubuntu, we can use dnsmasq to route queries for poisoned IPs through non-standard ports.

Starting from Ubuntu 12.04, Network Manager enables dnsmasq by default, but its caching function is disabled for security reasons. This change caused some issues, at least for me, such as occasional slowdowns in network speed. After some experimentation, you can either completely disable the service, or configure it to use Google DNS while enabling dnsmasq’s local cache (which can greatly improve response speed when revisiting websites).

Method to completely disable it:

  1. sudo vim /etc/NetworkManager/NetworkManager.conf

Comment out the line dns=dnsmasq
Then restart the network manager

  1. sudo restart networkmanager

Reinstall the full dnsmasq:

  1. sudo aptget install dnsmasq

 Then

  1. sudo vi /etc/resolv.conf

 Ensure the content of resolv.conf is:

  1. nameserver 127.0.0.1

 Then

  1. sudo vim /etc/dnsmasq.conf

Add the following directly at the end of the file:

  1. listenaddress=127.0.0.1
  2. bindinterfaces
  3. cachesize=100000
  4. domainneeded
  5. resolvfile=/etc/resolv.dnsmasq
  6. server=/facebook.com/208.67.222.222#5353

 Among them

  1. server=/facebook.com/208.67.222.222#5353

specifies that DNS requests for facebook.com should be sent to OpenDNS on port 5353, and you can extend this pattern.
This setting supports wildcard resolution, for example

  1. server=/com/208.67.222.222#5353

specifies it for all .com domains.

Restart dnsmasq:

  1. sudo service dnsmasq restart

 Test DNS again:

  1. dig www.facebook.com +short

 If it returns 31.13.79.49 or another IP not on the fake IP list, it was successful.


PS: Use the command

  1. ps fC dnsmasq|more

 to check and you’ll find that dnsmasq in Ubuntu stores its DNS settings in /var/run/dnsmasq/resolv.conf.
dnsmasq logs are recorded in /var/log/syslog.

Leave a Comment

Your email address will not be published.