i am making a tool that sniffs DNS traffic for the network and looks for DNS spoofing attack so i sniff the DNS responses, but i need a way to chack every response and see if it’s valid, wanted to use https://exana.io/tools/dns/ but it’s not working, i need an API that i can send the DNS response to and it will check it.
At first i wanted to check if the ip i malicious with virustotal but it won’t protect from DNS spoofing because it has nothing to do with the ip being malicious….
i wanted to use the api of exana.io but it is not working.
>Solution :
Set up "bind caching nameserver" on a remote server, and set etc/resolv.conf to 127.0.0.1.
Via an encrypted channel, ask your remote server to perform a dns lookup. If the IP matches, great.
If the IP does not match, do a whois lookup on the two IPs. If owned by the same ISP, probably still not spoofed.
If the non matching IPs are owned by different ISPs, there is a strong chance the dns is spoofed.