In the Ettercap etter.dns config, what do A, AAAA, and PTR records mean, and why do you need to spoof BOTH A and AAAA?
A = IPv4 address. AAAA = IPv6 address. PTR = reverse (IP → name). Both A and AAAA must be spoofed because modern OSes prefer IPv6 — if AAAA isn't spoofed, the victim might bypass your trap via IPv6.
The three record types:
| Record | Maps | Example |
|---|---|---|
A |
Name → IPv4 | mycampus.hslu.ch → 147.88.196.50 |
AAAA |
Name → IPv6 | mycampus.hslu.ch → 2001:db8::1 |
PTR |
IP → Name (reverse) | 192.168.1.99 → mycampus.hslu.ch |
An example spoof config:
mycampus.hslu.ch A 192.168.1.99 ← attacker IPv4
mycampus.hslu.ch AAAA fe80::abcd ← attacker IPv6
*.mycampus.hslu.ch A 192.168.1.99
*.mycampus.hslu.ch AAAA fe80::abcd
www.mycampus.hslu.ch PTR 192.168.1.99
Why AAAA matters — Happy Eyeballs:
Modern browsers/OSes use "Happy Eyeballs" (RFC 8305):
- Resolve both A and AAAA simultaneously
- Try IPv6 first (slight head start)
- Fall back to IPv4 if IPv6 fails
If you spoof only A: the victim's browser might prefer the real IPv6 address from a legit AAAA record → bypass your fake server entirely.
Wildcard *. matters:
*.mycampus.hslu.ch catches subdomains like login.mycampus.hslu.ch, api.mycampus.hslu.ch. Without it, only the exact domain redirects.
PTR for completeness:
PTR records are checked by some apps (mail, SSH) — for full impersonation, both forward and reverse must align. For a quick demo it's often unnecessary, but pros include it.
Why link-local IPv6 works here:
fe80::... addresses only work on the local segment. In a real attack with a public-routable IPv6, the same approach works but with a global IPv6 address.
Tip: Test for IPv6 vulnerabilities by disabling IPv4 entirely and seeing if a service still works. Many "secure" configs are only secure on the IPv4 side.
Go deeper:
RFC 8305 — Happy Eyeballs Version 2 — the spec that makes clients race IPv6 first, which is exactly why spoofing only the A record can leak the victim past your trap.