dnschef: A DNS proxy tool used for manipulating DNS queries

What is DNSchef?

DNSchef is a DNS proxy tool designed for penetration testers and security researchers. It allows you to intercept, modify, and log DNS requests, making it useful for:

• Phishing simulations
• Man-in-the-Middle (MITM) attacks
• Malware analysis
• Network traffic redirection
• Testing DNS-based security controls

Unlike other DNS spoofing tools, DNSchef is highly customizable and can be used to:

• Spoof specific domains while forwarding others legitimately.
• Log all DNS queries for analysis.
• Simulate fake DNS responses for testing.

How DNSchef Works

DNSchef acts as a local DNS server, intercepting DNS queries and responding based on predefined rules. It can:

• Forward legitimate queries to a real DNS server.
• Spoof responses for selected domains.
• Log all DNS activity for analysis.

Key Features:

• Supports IPv4 and IPv6.
• Can handle A, AAAA, MX, NS, CNAME, TXT, and other record types.
• Works in non-root mode (binds to port 53 if available).
• Highly configurable with command-line options.

Installation

DNSchef comes pre-installed in Kali Linux. If missing, install it via:

sudo apt update && sudo apt install dnschef

Alternatively, you can get it from GitHub:

git clone https://github.com/iphelix/dnschef.git
cd dnschef
python3 dnschef.py --help

Basic Usage Examples

A. Simple DNS Proxy (Log All Queries)

sudo dnschef --interface 127.0.0.1

• Listens on 127.0.0.1:53.
• Forwards all queries to the system’s default DNS.

B. Spoof Specific Domains

sudo dnschef --fakeip=192.168.1.100 --fakedomains=example.com,test.com

• Responds with 192.168.1.100 for example.com and test.com.
• Forwards other domains normally.

C. Log DNS Queries to a File

sudo dnschef --logfile=dns_log.txt

• Saves all DNS queries to dns_log.txt.

Advanced Usage

A. Spoof Multiple Domains with Different IPs

Create a config file (spoof.txt):

example.com=192.168.1.100
test.com=10.0.0.1
*.google.com=1.1.1.1

Run DNSchef:

sudo dnschef --file=spoof.txt

B. Use a Custom Upstream DNS

sudo dnschef --upstream=8.8.8.8

• Forwards unresolved queries to Google DNS (8.8.8.8).

C. IPv6 Spoofing

sudo dnschef --fakeip6=2001:db8::1 --fakedomains=example.com

• Returns a fake IPv6 address for example.com.

D. Spoof MX & Other Records

sudo dnschef --fakemail=mail.example.com --fakedomains=example.com

• Spoofs the MX record for example.com.

6. Command-Line Options

Core Options

A. Domain Filtering

Example:

sudo dnschef --fakedomains=example.com --fakeip=192.168.1.100

• Only example.com resolves to 192.168.1.100 (other domains use real DNS).

Fake DNS Records

Example (Spoof MX & A Records):

sudo dnschef --fakedomains=example.com --fakeip=192.168.1.100 --fakemail=mail.example.com

• example.com resolves to 192.168.1.100 (A record).
• MX queries return mail.example.com.

File-Based Spoofing (--file)

• Loads spoofing rules from a file (format: domain=IP).
• Supports IPv4, IPv6, MX, CNAME, NS records.

Example (spoof_rules.txt):

example.com=192.168.1.100
google.com=1.1.1.1
mail.example.com=10.0.0.5 MX

Run:

sudo dnschef --file=spoof_rules.txt

• example.com → 192.168.1.100
• google.com → 1.1.1.1
• MX queries for mail.example.com → 10.0.0.5.

Network & Logging Options

Example (Logging + Custom DNS):

sudo dnschef --logfile=dns_queries.log --nameservers=1.1.1.1

• Logs all queries to dns_queries.log.
• Unmatched domains resolve via Cloudflare (1.1.1.1).

Advanced Usage

A. IPv6 DNS Spoofing

sudo dnschef -6 --fakeipv6=2001:db8::1 --fakedomains=example.com

• Spoofs example.com → 2001:db8::1 (IPv6).

B. TCP-Only DNS Proxy

sudo dnschef -t --fakedomains=example.com --fakeip=192.168.1.100

• Forces TCP mode (useful for bypassing UDP restrictions).

C. Selective Forwarding

sudo dnschef --truedomains=google.com --fakeip=192.168.1.100

• Only google.com uses real DNS; all other domains resolve to 192.168.1.100.

Practical Scenarios

A. Phishing Attack Simulation

sudo dnschef --fakedomains=paypal.com --fakeip=10.0.0.5

• Victims accessing paypal.com are redirected to 10.0.0.5 (attacker’s server).

B. Malware C2 Redirection

sudo dnschef --file=malware_domains.txt

• Redirects malware traffic to a sinkhole.

C. Bypassing Web Filters

sudo dnschef --fakedomains=blocked-site.com --fakeip=1.1.1.1

• Spoofs blocked-site.com to bypass DNS filtering.

Real-World Use Cases

A. Phishing Simulations

• Redirect users from realbank.com to a fake login page (192.168.1.100).

sudo dnschef --fakeip=192.168.1.100 --fakedomains=realbank.com

B. Malware Analysis

• Redirect malware C2 (Command & Control) traffic to a controlled server.

sudo dnschef --fakeip=10.0.0.5 --fakedomains=malware-domain.com

C. Bypassing Web Filters

• Spoof blocked domains to access restricted content.

sudo dnschef --fakeip=1.1.1.1 --fakedomains=blocked-site.com

D. Testing DNS Security

• Check if a network detects rogue DNS servers.

Troubleshooting Tips

A. “Port 53 Already in Use”

Kali may have systemd-resolved running. Stop it:

sudo systemctl stop systemd-resolved

B. DNS Queries Not Captured

• Ensure the target machine uses your Kali IP as its DNS server.
• Check firewall rules (iptables/ufw).

C. No Response from DNSchef

• Verify --interface is correct.
• Test with dig @ example.com.

D. Logs Not Saving

• Ensure write permissions for --logfile.