dns poison?

[Borkil]

I'm attempting to poison my dns cache on a virtual machine; however, I cannot get the machine to accept my fake dns responses. The virtual machine is running on linux. I added the following rule to the nat iptable
iptables -t nat -A OUTPUT -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j DNAT --to 127.0.0.1:12345

when i run dig google.com the dns packet will get looped back to the machine but onto port 12345 where i am running a python/scapy script. that script reads the packet and forges a response with the correct port number and transaction id and sends it back to the machine on port 53. while using wireshark, everything looks correct, but when i run the dig command, the machine just repeatably requests a lookup and ignores my responses and says ";; connection timed out; no servers could be reached
". is there something i am forgetting? at first i thought it was because i originally was not setting the "Non-authenticated data" bit, but after setting that it still ignores the packets.

 

[Khaosus]

Is there a response code (RCODE)?

 

[Borkil]

Is there a response code (RCODE)?

after receiving my packets? i dont believe so. in my forged packet i just set rcode to 0 for "no error" and i dont see any packets leaving the vm with errors nor icmp error msg. i've changed a lot of my code so i will have to rerun and check

after reading up on more of the scapy documentation, i noticed that it has a built in sniffer. i've decided that instead of redirecting the packets using iptables i use my script to sniff for packets with a dst port of 53 (DNS traffic) and capture them. i still use iptables to block incoming dns responses. however it's still not working. perhaps my iptables is also blocking my forged packets. i just wrote a quick one liner. so my next plan is to add more logic to the iptables to allow loopback traffic and logging in order to check that my own packets aren't being filtered.

UPDATE:

well i think the problem lies within a bug in scapy. after analyzing my fake packets i noticed that they are slightly bigger than the real ones. looking at the hex dump i noticed that some info is repeated in the packets. then i check the site and see an active ticket for it. so i guess my next step is to try to do it in perl haha. never really done much in perl but i've so far manage to create forge packets and send them, but i need to work out a way to sniff traffic in perl

 

[Borkil]

success! i finally got around to working on the perl version and bam it just works. seems like there is an issue with dns packets in scapy. however i was lazy and just use my python script to sniff and then pipe info to perl. because of this, it is too slow to use in a real situation. it takes about 50 ms for my fake packet to be received with my current version. a real cached response takes about 10 ms. scapy is extremely fast and can fake it in 1 ms or less but the target computer will not accept it. so i had to use iptables to block dns replies from outside ips and only allow loopback responses. as of now any domain name i type into my browser (when the script is running) will send me to google.com (the ip i send in my fake packet). now i just need to figure out how to sniff in perl and make it faster