I've done some searching, and I have only found one that does some dns spoofing so far, you also have to be a paid member. If your not following what I'm talking about, in loose dns configurations your firewall might let these packets bypass your firewall. One thing I should say is I haven't seen this used in the wild, but who's the say that it hasn't been used against others? Think of how many more computers would be infected, even possibly through hardware firewalls if the rpc worm always used udp: 53 for the remote listening connection.

Examples:
If it wasn't restricted by locals ports, and remote addresses it could contact any udp port(0-65535!) on your computer just by using a certain port on their end. If your firewall leaks this much then it sucks, or its not configured correctly. Its usually the latter...
UDP Site.Scan: 53 -> Your.IP: 135 Allowed - INFECTED w/out patch
UDP Site.Scan: 53 -> Your.IP: 1027 Allowed - Possible messenger spam
UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic

Lets say they restrict it to the common local ports, but not by ip address still. They can now scan the udp range of 1024-5000. This would likely be your standard application based firewall.
UDP Site.Scan: 53 -> Your.IP: 135 Blocked
UDP Site.Scan: 53 -> Your.IP: 1027 Allowed - Possible messenger spam
UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic

Now you finally restrict it to the local port range, and your dns servers.
UDP Site.Scan: 53 -> Your.IP: 135 Blocked
UDP Site.Scan: 53 -> Your.IP: 1027 Blocked
UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic

Some have stated that they have gotten messenger spam from any listening port of svchost.exe including the ports in the local range, but don't dwell on that please. I'm only stating what I have read elsewhere...

If anyone knows of any free online scanners that will use dns spoofing that would be great since I'm having trouble finding any to prove to others how their simple application based software firewall is leaking.

This is something that has been known for a long time, and I'm willing to bet that many simple configuration firewalls, even many user configurations won't pass this test. The 1024-5000 range isn't as dangerious as what could be listening on the lower ports like 135, but its still possible it could be used in some way through a listening program.

You won’t find any sites using DNS Spoofing Technology to bypass people’s Software Firewalls, if you want to prove to these people it’s possible you need to use Spoofing Software on you’re Local Machine or r00ted boxes… ;)

Well I already said I found one, but it only scans a few lower ports while being a paid member of the site. Its DSL/Broadband Reports(DSLR/BBR), and its the udp scan in the full scan section.
http://www.broadbandreports.com/secureme

I could download nmap if that would work, but I'm afraid that even after a person concented to the scan they would still report the logs.

I don't get it...the link is just another test scan. There's plenty of free, more comprehesive tests out there. What was that again? I read it twice and must just be getting tired or something, a spoofed DNS defeats a firewall?

Regards, Rick

Rick, I doubt you even understand how dns communications really work, and the fact that you said that about the scan just means you don't have access to the advanced options which are much more intensive than free scanners. Its not an advertised part of the scan, it set off my rules which prevented dns spoofing.

BlitzenZeus are you saying the Online Scanning Systems Spoofs itself into the Targets Primary and Secondary … DNS Addresses? If not this is irreverent Scan… ;)

Phatom, why are you missing the point, and even confusing yourself by addiing information that has nothing to do with it?

The site scans from udp 53 for a few packets, the logs show they come from the scanning site. Is that hard to understand? Does it not follow my above example of dns spoofing, but only targeting different ports? Unless something acts as a dns server, it can be used for dns spoofing against other targets since all it has to do is use their local udp port 53 to scan the entire udp range.

The first two logs show that the same server is scaning to attempt dns spoofing.
Blocked Incoming 02/Sep/2003 03:56:39 Packet to unopened port received TCP 209.191.132.40 35118 BlitzenZeus 1018 no owner
Blocked Incoming 02/Sep/2003 03:56:39 Packet to unopened port received TCP 209.191.132.40 35117 BlitzenZeus 703 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 5 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 11 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 9 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 14 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 7 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 1 no owner

The address 209.191.132.140 is the scanner...

Pinging bronze.dslreports.com [209.191.132.40] with 32 bytes of data

Reply from 209.191.132.40: bytes=32 time=167ms TTL=242
Reply from 209.191.132.40: bytes=32 time=154ms TTL=242
Reply from 209.191.132.40: bytes=32 time=153ms TTL=242
Reply from 209.191.132.40: bytes=32 time=153ms TTL=242

Ping statistics for 209.191.132.40:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 153ms, Maximum = 167ms, Average = 156ms

Hmmm how’s this DNS Spoofing?

-{ Quote: " quoting: BlitzenZeus link=board=18;threadid=13495;start=0#msg86196 date=1063059283]
Phatom, why are you missing the point, and even confusing yourself by addiing information that has nothing to do with it?

The site scans from udp 53 for a few packets, the logs show they come from the scanning site. Is that hard to understand? Does it not follow my above example of dns spoofing, but only targeting different ports? Unless something acts as a dns server, it can be used for dns spoofing against other targets since all it has to do is use their local udp port 53 to scan the entire udp range.

The first two logs show that the same server is scaning to attempt dns spoofing.
Blocked Incoming 02/Sep/2003 03:56:39 Packet to unopened port received TCP 209.191.132.40 35118 BlitzenZeus 1018 no owner
Blocked Incoming 02/Sep/2003 03:56:39 Packet to unopened port received TCP 209.191.132.40 35117 BlitzenZeus 703 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 5 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 11 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 9 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 14 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 7 no owner
Blocked Incoming 02/Sep/2003 03:56:37 DNS Alert (Log, Alert) UDP 209.191.132.40 53 BlitzenZeus 1 no owner

The address 209.191.132.140 is the scanner...

Pinging bronze.dslreports.com [209.191.132.40] with 32 bytes of data

Reply from 209.191.132.40: bytes=32 time=167ms TTL=242
Reply from 209.191.132.40: bytes=32 time=154ms TTL=242
Reply from 209.191.132.40: bytes=32 time=153ms TTL=242
Reply from 209.191.132.40: bytes=32 time=153ms TTL=242

Ping statistics for 209.191.132.40:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 153ms, Maximum = 167ms, Average = 156ms
" }-

-{ Quote: " quoting: Phant0m`` link=board=18;threadid=13495;start=0#msg86220 date=1063066081]Hmmm how’s this DNS Spoofing?" }-

Call it an open DNS configuration Exploit if you like, but in this mannor it appears to be faking dns traffic to possibly bypass a firewall configuration. You didn't argue what I called it when I started the thread, and mentioned that this method mght allow others to connect to your computer through your firewall with this method which would indicate that there was no ip spoofing involved, as ip spoofing is one way.

You use topic title “DNS Spoofing Scanners” but in contents its discussion totally don’t corresponds with it…

-{ Quote: " quoting: BlitzenZeus link=board=18;threadid=13495;start=0#msg86225 date=1063067004]
-{ Quote: " quoting: Phant0m`` link=board=18;threadid=13495;start=0#msg86220 date=1063066081]Hmmm how’s this DNS Spoofing?" }-

Call it an open DNS configuration Exploit if you like, but in this mannor it appears to be faking dns traffic to possibly bypass a firewall configuration. You didn't argue what I called it when I started the thread, and mentioned that this method mght allow others to connect to your computer through your firewall with this method which would indicate that there was no ip spoofing involved, as ip spoofing is one way.
" }-

Come on guys if you both know what the other is talking about there's really no point to arguing the formalities of the terms, right?

If I had any idea what BZ is talking about/looking for I'd just tell him if I knew of any such site but it's all over my caveza ffs

Thank you...

I didn't reply to the last response on purpose, and he is stuck on an issue of his own creation, he can't get over that I used some terminology in another way than he doesn't agree with. I think he just likes to argue until people leave him alone, or agree with his point of view. 8)

What I'm asking for is something I don't expect to be free unfortunately. Its a udp port scanner that scans from udp port 53 to make the appearance it could be dns communications. Many simple configurations allow any address to contact udp ports 1024-5000, or their entire udp port range just by using the remote port 53 which might allow scanners to bypass your fiewall.

Hey BlitzenZeus

I apologize for being crude; I simply couldn’t interpret your posts with all those inconsistencies, but now I understand fully what you are wanting... ;)

Regards,

-{ Quote: " quoting: BlitzenZeus link=board=18;threadid=13495;start=0#msg86284 date=1063080082]
Thank you...

I didn't reply to the last response on purpose, and he is stuck on an issue of his own creation, he can't get over that I used some terminology in another way than he doesn't agree with. I think he just likes to argue until people leave him alone, or agree with his point of view. 8)

What I'm asking for is something I don't expect to be free unfortunately. Its a udp port scanner that scans from udp port 53 to make the appearance it could be dns communications. Many simple configurations allow any address to contact udp ports 1024-5000, or their entire udp port range just by using the remote port 53 which might allow scanners to bypass your fiewall.
" }-

Hi BlitzenZeus, Sorry - you're right. When ever I say something stupid, a simple "move aside sonny, you're in over your head" will do fine. But did find some info the the subject.

http://www.securesphere.net/download/papers/dnsspoof.htm

Now guys, this link is only for dummies like me who are curious, so all savvy people just ignore this post. If you can get by the author's typos, deplorable sentence structure and grammer - he does however, painfully get the "novice's" point across. DNS udp port 53 is toward the end. More advanced pubs at CNET, Securty Focus, etc and effective filtering strategies are certainly out there. Interesting stuff.

P.S. First few months I had my system, after crafting security from contributors here, I paid around $450 to Security Focus and other firms to attack my system in ways that claim to be more advanced than free sources - passed them all, but never recalled a test for this threat.

Best Regards, Rick