
OS: Ubuntu 12.04 LTS
Software: dnsmasq
DNS Test:
- dig www.facebook.com @8.8.8.8 +short
- 37.61.54.158
On the Wikipedia page DNS cache poisoning, you can find that 37.61.54.158 is among the fake IP addresses, indicating that this DNS has been poisoned.
- dig www.facebook.com @208.67.222.222 –p 443
- 31.13.79.49
31.13.79.49 is the correct address for Facebook. Google’s DNS service does not support queries on non-standard ports, but OpenDNS does. Its IP addresses are 208.67.222.222 and 208.67.222.220, and it supports ports 443 and 5353.
In Ubuntu, we can use dnsmasq to route queries for poisoned IPs through non-standard ports.
Starting from Ubuntu 12.04, Network Manager enables dnsmasq by default, but its caching function is disabled for security reasons. This change caused some issues, at least for me, such as occasional slowdowns in network speed. After some experimentation, you can either completely disable the service, or configure it to use Google DNS while enabling dnsmasq’s local cache (which can greatly improve response speed when revisiting websites).
Method to completely disable it:
- sudo vim /etc/NetworkManager/NetworkManager.conf
Comment out the line dns=dnsmasq
Then restart the network manager
- sudo restart network–manager
Reinstall the full dnsmasq:
- sudo apt–get install dnsmasq
Then
- sudo vi /etc/resolv.conf
Ensure the content of resolv.conf is:
- nameserver 127.0.0.1
Then
- sudo vim /etc/dnsmasq.conf
Add the following directly at the end of the file:
- listen–address=127.0.0.1
- bind–interfaces
- cache–size=100000
- domain–needed
- resolv–file=/etc/resolv.dnsmasq
- server=/facebook.com/208.67.222.222#5353
Among them
- server=/facebook.com/208.67.222.222#5353
specifies that DNS requests for facebook.com should be sent to OpenDNS on port 5353, and you can extend this pattern.
This setting supports wildcard resolution, for example
- server=/com/208.67.222.222#5353
specifies it for all .com domains.
Restart dnsmasq:
- sudo service dnsmasq restart
Test DNS again:
- dig www.facebook.com +short
If it returns 31.13.79.49 or another IP not on the fake IP list, it was successful.
PS: Use the command
- ps –fC dnsmasq|more
to check and you’ll find that dnsmasq in Ubuntu stores its DNS settings in /var/run/dnsmasq/resolv.conf.
dnsmasq logs are recorded in /var/log/syslog.