Industry guru Dave Taylor answers free tech support questions about a wide variety of business and technical topics, including blogging, Google AdSense, MySpace, Sony PSP, Apple iPod, Mp3 players, management, Linux, SEO, Mac OS X, Facebook, Twitter, LinkedIn and Microsoft Windows.

Still befuddled? Get immediate live tech support with SupportSpace!

How can my server be DNS spoofed?

Help! For some reason when I try to use "ssh" to connect to my server from my Mac, it fails and is saying that I might be a victim of a "DNS Spoof"? What's going on, and how do I fix the problem?

Dave's Answer:

First off, a critically important question: have you moved your domain name from one server to another in the last day or two? Or, perhaps, has your ISP moved you from one server to another and therefore had to change your IP (internet protocol) address?

That's what's happening. Your Mac remembers that you used to end up at, say, 129.1.1.30 when you requested to connect using the secure ssh protocol, but now the domain name resolves to a different IP address.

Here's the message you're probably seeing:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for intuitive.com has changed,
and the key for the according IP address 205.212.166.171
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /Users/taylor/.ssh/known_hosts:4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ce:a1:ce:c7:90:15:41:c4:ac:81:5f:a3:f9:7d:97:1d.
Please contact your system administrator.
Add correct host key in /Users/taylor/.ssh/known_hosts to get rid of this message.
Offending key in /Users/taylor/.ssh/known_hosts:1
RSA host key for intuitive.com has changed and you have requested strict checking.
Host key verification failed.

Pretty scary!

But you can see that it shows you the solution if you're confident that you are pointing at a new IP address and all is well: simply wipe out the "known_hosts" file for that connection in your "ssh" configuration folder (in my case, it's /Users/taylor/.ssh).

You can either just remove the offending line or delete the entire file and let it reprompt you whether to save the secure keys for other sites you visit too. I usually opt for the latter.

If you haven't made any changes, then you need to get on the phone with your Internet Service Provider ASAP to figure out what's going on!

Hope that helps clear things up!

Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Simpy.

Categorized: Mac OS X Help , Unix and Linux Help (Article 5841)
Tagged: dns spoofing, sftp, ssh
Previous: What is WiMAX?
Next: Are Sony PSP's regionally encoded?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

I followed all your steps to seting my psp up for the internet but now it says a dns error has occured. How do I fix this?

Posted by: Keith at April 6, 2008 11:17 AM

I have a lot to say, but ...

I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!