DNS欺骗劫持与防御策略

环境拓扑

基本配置

接口IP与默认路由配置

R1

 <Huawei>sys
 [Huawei]sys R1
 [R1]undo info en
 [R1]int g0/0/0
 [R1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
 [R1-GigabitEthernet0/0/0]q
 [R1]int g0/0/1
 [R1-GigabitEthernet0/0/1]ip add 192.168.2.1 24
 [R1-GigabitEthernet0/0/1]q
 [R1]rip 1
 [R1-rip-1]version 2
 [R1-rip-1]network 192.168.1.0
 [R1-rip-1]network 192.168.2.0
 [R1-rip-1]q
 [R1]ip route-static 0.0.0.0 0.0.0.0 192.168.2.2

R2

 <Huawei>sys
 [Huawei]sys R2
 [R2]undo info en
 [R2]int g0/0/0
 [R2-GigabitEthernet0/0/0]ip add 192.168.2.2 24
 [R2-GigabitEthernet0/0/0]q
 [R2]int g0/0/1
 [R2-GigabitEthernet0/0/1]ip add 172.16.1.1 24 
 [R2-GigabitEthernet0/0/1]q
 [R2]int s2/0/0
 [R2-Serial2/0/0]ip add 202.116.64.1 2
 [R2-Serial2/0/0]q
 [R2]rip 1
 [R2-rip-1]version 2 
 [R2-rip-1]network 192.168.2.0
 [R2-rip-1]network 192.16.0.0
 [R2-rip-1]q
 [R2]ip route-static 0.0.0.0 0.0.0.0 serial 2/0/0

R3

 <Huawei>sys
 [Huawei]sys R3
 [R3]undo info en
 [R3]int s2/0/0
 [R3-Serial2/0/0]ip add 202.116.64.2 24
 [R3-Serial2/0/0]q
 [R3]int g0/0/0
 [R3-GigabitEthernet0/0/0]ip add 203.203.100.1 24
 [R3-GigabitEthernet0/0/0]q
 [R3]

路由器R2 Rasy-IP 配置

 [R2]acl 2000
 [R2-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
 [R2-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
 [R2-acl-basic-2000]rule permit source 172.16.1.0 0.0.0.255
 [R2-acl-basic-2000]q
 [R2]int s2/0/0
 [R2-Serial2/0/0]nat outbound 2000
 [R2-Serial2/0/0]q
 [R2]

配置R2路由器DHCP服务 给技术部和工程部主机分配IP地址

 [R2]dhcp enable 
 [R2]ip pool jishu
 [R2-ip-pool-jishu]network 192.168.1.0 mask 24
 [R2-ip-pool-jishu]gateway-list 192.168.1.1 
 [R2-ip-pool-jishu]dns-list 192.168.2.254
 [R2-ip-pool-jishu]excluded-ip-address 192.168.1.2 192.168.1.9
 [R2-ip-pool-jishu]q
 ​
 [R2]ip pool gongcheng
 [R2-ip-pool-gongcheng]network 172.16.1.0 mask 24
 [R2-ip-pool-gongcheng]gateway-list 172.16.1.1
 [R2-ip-pool-gongcheng]dns-list 192.168.2.254
 [R2-ip-pool-gongcheng]excluded-ip-address 172.16.1.2 172.16.1.9
 [R2-ip-pool-gongcheng]q
 ​
 [R2]int g0/0/0
 [R2-GigabitEthernet0/0/0]dhcp select global
 [R2-GigabitEthernet0/0/0]q
 [R2]

 [R1]dhcp enable 
 [R1]int g0/0/0
 [R1-GigabitEthernet0/0/0]dhcp select relay
 [R1-GigabitEthernet0/0/0]dhcp relay server-ip 192.168.2.2
 [R1-GigabitEthernet0/0/0]q
 [R1]

配置百度服务器HttpServer

配置DNS Server

基本配置验证

技术部主机PC2 ping DNS服务器server1

技术部主机PC2 ping baidu.com

入侵实战

网络拓扑结构图

伪造DHCP服务器R4配置

 <Huawei>sys
 [Huawei]sys R4
 [R4]undo info en
 [R4]int g0/0/0
 [R4-GigabitEthernet0/0/0]ip add 192.168.1.9 24
 [R4-GigabitEthernet0/0/0]q
 [R4]dhcp enable 
 [R4]ip pool forget
 [R4-ip-pool-forget]network 192.168.1.0 mask 24
 [R4-ip-pool-forget]gateway-list 192.168.1.1
 [R4-ip-pool-forget]dns-list 192.168.1.8
 [R4-ip-pool-forget]q
 [R4]int g0/0/0
 [R4-GigabitEthernet0/0/0]dhcp select global
 [R4-GigabitEthernet0/0/0]q
 [R4]

伪造DHCP服务器配置

arp欺骗

将pc3的IP地址改为pc2的IP地址去ping baidu.com

防御策略

1.查看路由器R1的GE0/0/0接口(网关接口)MAC地址

2.在交换机SW1上绑定网关与MAC地址映射关系

 <Huawei>sys
 Enter system view, return user view with Ctrl+Z.
 [Huawei]sys SW1
 [SW1]undo info en
 [SW1]user-bind static ip-address 192.168.1.1 MAC-address 00e0-fc81-6ae8
 [SW1]user-bind static ip-address 192.168.1.1 MAC-address 00e0-fc81-6ae8 int g0/0/3 vlan 1
 [SW1]vlan 1
 [SW1-vlan1]arp anti-attack check user-bind enable 
 [SW1-vlan1]q
 [SW1]

任务总结

1.DNS欺骗劫持事件仅发生在局域网内。在IP规划时可通过可变长子网(VLSM)将一个网段划分成多个子网,限制广播域范围以减少此类攻击事件发生

2.DNS欺骗不属于病毒木马,不能通过安装防病毒软件避免此类攻击

3.计算机DNS缓存表不会立刻刷新,需等待一段时长.如需手动刷新,命令为ipconfig /flushdns