It's perhaps my lack of deeper knowledge of how the DNS, NAT or TCP works, but I have been thinking about the following scenario and can't figure out the following problem which arises in DNS-spoofing MITM attack:
Imagine a MITM attack, which is carried out using DNS spoofing. A victim tries to connect to server A (www.example.com), but since it uses a rogue primary DNS, it gives him a false IP address of other server B. Now since the victim thinks it has the correct IP address it starts some communication with B. The attacker wants just intercept the traffic and forward it to it's proper destination, so he doesn't raise the victim's suspicion. How does the attacker know the original destination?
In case the communication is HTTP, then this is easy since every request carries its URL. But what happens in more general case of just some ordinary TCP packet (non-HTTP). Since TCP header now contains the attacker's server B IP address, how does the attacker know the original destination of this packet?
My particular thought is that the attacker spoofs 2 or more domain names pointing to servers running services at the same port numbers.