0

If a DNS sniffer/spoofer is running on a network using something like netwag/netwox, how does the sniffer see the request that is destined for the real DNS server?

Wouldn't the packets for the DNS request be routed only to the DNS server? Why would they be broadcast to other addresses on the network so that the sniffer can see the request?

Improve this question

1 Answer 1

Reset to default
1

Why would they be broadcast to other addresses on the network so that the sniffer can see the request?

They don't. Like a normal tcpdump these tools have to be used on places, which are in path of the packets, like on the router. Or they could be used on the mirror port of a switch where the packets come through.

Improve this answer
4
  • I have a LAN of virtual machines. One has netwag running on it and it can see the DNS requests sent from another virtual machine.
    – CJ7
    Commented Aug 25, 2021 at 5:59
  • @CJ7: While the details you provide are very few it might be that the Soft-Switch of the virtualization environment is broadcasting the packets to all connected VM, similar to how a classic hardware hub did.
    – Steffen Ullrich
    Commented Aug 25, 2021 at 6:09
  • It is 3 VMs using VMware, all with 'NAT' as the network setting. I have Wireshark running on all 3 VMs. Whenever any machine does a DNS request, such as by doing a ping, I can see the packets on any of the machines. I agree it is probably something like what you said – but I would like to know exactly what is happening.
    – CJ7
    Commented Aug 25, 2021 at 9:19
  • @CJ7: Looks like it is a feature that guest OS can capture all the traffic, see kb.vmware.com/s/article/1000880
    – Steffen Ullrich
    Commented Aug 25, 2021 at 10:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .