DNS Redirection Stopped

by c0ld_b00t

The letter from "bradsnet" in 19:3 about how Ford could redirect back to 2600.com or 127.0.0.1, etc. got me thinking about how easy that could be.

It turned out to be easier than I thought.

Every HTTP request has a host field in it that contains the address that was typed in, so if I type in www.2600.com and click Go it will have www.2600.com in the host field.

All browsers that I know of send the host field in their HTTP request.  If DNS redirects a site, the host field will not change when redirected and so we can detect it with little effort.

Example of a HTTP request (notice the host field):

GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) Host: www.2600.com Connection: Keep-Alive <CRLF><CRLF>

Included is a small VB program (I used VB to show how easy it is) that scans all incoming HTTP requests and checks to see if the host field is the web address or the IP address of the current website.

If not, it redirects to 2600.com, and if so it redirects to Ford's website.

This doesn't protect from <meta> tag redirection, or <(i)frame> redirection which needs a webpage to do the redirecting, rather than a DNS entry.

Here is a script that can stop that (real simple - it took five minutes!).  Hey, a 16-year-old can do it, so can a big corp.

<html> <head> <script> splitit=document.referrer.split("/") if (splitit[2]=="www.fuckgeneralmotors.com") { document.write("<html><head><meta http-equiv='REFRESH' content='1;/URL=http://www.2600.com'></head></html>"); } else { document.write("<html><head><meta http-equiv='REFRESH' content='1;URL=http://www.ford.com'></head></html>"); } </script> </head> </html>

O.K., here is the DNS Redirection Filter made in VB.

Note:  If you are going to set this filter up you'll have to change your server port to something other than 80 and change the <meta> headers to redirect to that port (big deal, unless you're running IIS).  You could add this feature to an open-source web server, too.  You could alter the code to redirect to the port directly.

• Step 1:  Create a project with "Standard EXE".
• Step 2:  Add a Winsock component and name it Winsock1 (that's the default).
• Step 3:  Change the Index tab of Winsock1 to 0.
• Step 4:  Make a form and name it Form1 (default again).
• Step 5:  Put the code below in the form.
• Step 6:  Compile and run.

dns-redirect.vb:

' DNS Redirection Filter ' by cOld_b00t ' for Fored(lol) and NPR Private webaddress As String Private webip As String Private intlastcontrol As Long Private Sub Form_Load() webaddress = LCase(Winsock1(0).LocalHostName) webip = Winsock1(0).LocalIP intlastcontrol = 0 With Winsock1(0).LocalPort = 80 Listen End With End Sub Private Sub Winsock1_ConnectionRequest(Index As Integer, ByVal requestid As Long) If Index = 0 Then intlastcontrol = intlastcontrol + 1 Load Winsock1(intlastcontrol) Winsock1(intlastcontrol).LocalPort = 0 Winsock1(intlastcontrol).Accept requestid End If End Sub Private Sub Winsock1_DataArrival(Index As Integer, ByVal bytesTotal As Long) Dim data1 As String Winsock1(intlastcontrol).GetData data1 On Error GoTo redirectnormal a1 = InStr(1, data1, "Host: ") + 6 a2 = InStr(a1, data1, vbCrLf) a3 = LCase(Mid(data1, a1, a2 - a1)) If a3 = webaddress Or a3 = webip Then GoTo redirectnormal Else ' DNS redirection detected redirecting back to 2600.com Winsock1(intlastcontrol).SendData "<html><head><meta http-equiv=" + Chr(34) + "REFRESH" + Chr(34) + " content=" + Chr(34) + "1;URL=http://www.2600.com" + Chr(34) + "></head></html>" End If Exit Sub ' Here we do a normal redirection to ford.com redirectnormal: Winsock1(intlastcontrol).SendData "<html><head><meta http-equiv=" + Chr(34) + "REFRESH" + Chr(34) + " content=" + Chr(34) + "1;URL=http://www.ford.com" + Chr(34) + "></head></html>" End Sub Private Sub Winsock1_SendComplete(Index As Integer) Winsock1(intlastcontrol).Close End Sub

Shoutouts: Hi Mom, Bryan, Cassidy, my bro (Nathaniel), and whoever I forgot.

Code: dns-redirect.vb