LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

In the Ettercap etter.dns config, what do A, AAAA, and PTR records mean, and why do you need to spoof BOTH A and AAAA?

A = IPv4 address. AAAA = IPv6 address. PTR = reverse (IP → name). Both A and AAAA must be spoofed because modern OSes prefer IPv6 — if AAAA isn't spoofed, the victim might bypass your trap via IPv6.

The three record types:

Record Maps Example
A Name → IPv4 mycampus.hslu.ch → 147.88.196.50
AAAA Name → IPv6 mycampus.hslu.ch → 2001:db8::1
PTR IP → Name (reverse) 192.168.1.99 → mycampus.hslu.ch

An example spoof config:

mycampus.hslu.ch       A     192.168.1.99      ← attacker IPv4
mycampus.hslu.ch       AAAA  fe80::abcd        ← attacker IPv6
*.mycampus.hslu.ch     A     192.168.1.99
*.mycampus.hslu.ch     AAAA  fe80::abcd
www.mycampus.hslu.ch   PTR   192.168.1.99

Why AAAA matters — Happy Eyeballs:

Modern browsers/OSes use "Happy Eyeballs" (RFC 8305):

  1. Resolve both A and AAAA simultaneously
  2. Try IPv6 first (slight head start)
  3. Fall back to IPv4 if IPv6 fails

If you spoof only A: the victim's browser might prefer the real IPv6 address from a legit AAAA record → bypass your fake server entirely.

Wildcard *. matters:

*.mycampus.hslu.ch catches subdomains like login.mycampus.hslu.ch, api.mycampus.hslu.ch. Without it, only the exact domain redirects.

PTR for completeness:

PTR records are checked by some apps (mail, SSH) — for full impersonation, both forward and reverse must align. For a quick demo it's often unnecessary, but pros include it.

Why link-local IPv6 works here:

fe80::... addresses only work on the local segment. In a real attack with a public-routable IPv6, the same approach works but with a global IPv6 address.

Tip: Test for IPv6 vulnerabilities by disabling IPv4 entirely and seeing if a service still works. Many "secure" configs are only secure on the IPv4 side.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026