ShaneGibson posted this little gem to the mailing list.

On 3 Apr 2002, AdamShand wrote: {{{> The only problem I can see with this is that without an uplink to the > internet so DNS works you'll (and any clients) will have to go directly > to the gateway by IP address in order to get the splash page, otherwise > you'll hang indefinately waiting for the DNS to resolve. > > I've been thinking about twiddling around with a DNS server and seeing > if I can figure out how to get a DNS server to always respond to any DNS > query with it's own IP address for situations like this. > > I think dnsmasq might do it, or otherwise you could probably do it by > replacing the root.cache file in your bind setup but I haven't actually > done it to see what caveats may exist.}}}

We do DNS spoofing in our QA network environment. Since the QA data utilizes production data in it's environment, we don't want stuff leaking out to the outside world on accident. So we insure that all DNS resolution for "real" domains is spoofed by our internal DNS. We also block outbound data via the firewall, but just in case... This is essentially what Adam is talking about above (or one approach to the issue). Here's how we do it. (Note: IPs have been changed to protect the not-so-innocent!)

In your /etc/named.conf

{{{/* named runs chroot'ed to /var/named */ options {


zone "." {


zone "localhost" {


zone "" {


zone "" {


The important file is root.db and needs to look like this:

{{{$TTL 1h . IN SOA (


. IN A . IN MX 10 *. IN CNAME .}}}

This simply wildcards all lookups to resolve locally, and we now have spoofed everything. Works like a charm for us. May be of some use in the above proposed setup.

{{{> Hrm, interesting. What the hell does the "." and ".*" mean in the left > hand column? I assume that the CNAME is the magic ... hrm ... this just > confuses me. I'll have to just go think about it some more. :)}}}

"." is the "I'm the Top Level Domain". Instead of going out to the "" (or whatever root servers you specify), we're saying...dammit...I'm the ROOT server for the Internet.

The "*." is a wildcard, that says, anything you wanna resolve, I'll resolve to me ("." on the RHS), which is the address.

If you had other DNS servers that you also wanted to tie into this config, you would have to configure their named.root file appropriately, like:

{{{. 3600000 IN NS 3600000 A}}}

Then, you'd have yourself a nice little containerized environment, where you're spoofing EVERYTHING to be whatever you want (i.e. in this case). Obviously, all clients would have to use the "" or other appropriately config'd DNS servers as their Resolvers.


DnsSpoofing (last edited 2007-11-23 18:01:54 by localhost)