1. Foreword
DNSChef is a highly configurable DNS proxy for penetration testers and malware analysts. It has the ability to finely configure which DNS replies to modify or simply proxy the real response. In order to take advantage of the tool, you must manually configure your DNS servers to point to DNSChef.
2. Execution parameters
Option parameters:
-h, --help show help message and exit --fakedomain thesprawl.org.google.com A comma-separated list of domain names that will resolve to the FAKE values specified in the above parameters. All other domain names will resolve to their real values. --truedomains thesprawl.org.google.com A comma-separated list of domain names that will resolve to a TRUE value. All other domain names will resolve to the bogus value specified in the above parameter.
Fake DNS records:
--fakeip 192.0.2.1 The IP address used to match DNS queries. If you use this parameter without specifying a domain name, all "A" queries will be spoofed. If you need to define multiple IP addresses, consider using the --file parameter. --fakeipv6 2001:db8::1 IPv6 address to match against DNS queries. If you use this parameter without specifying a domain name, all "AAAA" queries will be spoofed. If you need to define multiple IPv6 addresses, consider using the --file parameter. --fakemail mail.fake.com MX name used to match DNS queries. If you use this parameter without specifying a domain name, all "MX" queries will be spoofed. If you need to define multiple MX records, consider using the --file parameter. --fakealias www.fake.com The CNAME name used to match DNS queries. If you use this parameter without specifying a domain name, all "CNAME" queries will be spoofed. If you need to define multiple CNAME records, consider using the --file parameter. --fakens ns.fake.com The NS name used to match DNS queries. If you use this parameter without specifying a domain name, all "NS" queries will be spoofed. If you need to define multiple NS records, consider using the --file parameter. --file FILE Specifies a file containing a list of DOMAIN=IP pairs (one per line) to use for DNS responses. For example: google.com=1.1.1.1 will force all queries to "google.com" to resolve to "1.1.1.1". IPv6 addresses will be detected automatically. You can even be more specific by combining --file with other parameters. However, data obtained from a file will take precedence over other data.
Optional runtime arguments:
--logfile FILE Specify a log file to record all activity --nameservers 8.8.8.8#53 or 4.2.2.1#53#tcp or 2001:4860:4860::8888 Comma-separated list of alternative DNS servers to handle proxy requests. Nameservers can be in the format P or IP#PORT. When multiple servers are provided, a server randomly selected from the list will be used to proxy requests. By default, the tool uses oogle's public DNS server 8.8.8.8 when running in Pv4 mode and 2001:4860:4860::8888 when running in Pv6 mode. -i 27.0.0.1 or ::1, --interface 127.0.0.1 or ::1 Defines the interface used for the DNS listener. By default the tool uses 127.0.0.1 for IPv4 mode and ::1 or IPv6 mode. -t, --tcp Use a TCP DNS proxy instead of the default UDP. -6,ipv6 Runs in IPv6 mode. -p 53, --port 53 The port number to listen for DNS requests. -q, --quiet Title is not displayed.
3. Actual test use
3.1 Network connection
The laptop is wirelessly connected to the wifi provided by a traffic card.
The kali in the virtualbox of the laptop is started, and the network selects the bridge mode.
The laptop’s hotspot is turned on.
Mobile Android device wirelessly connects to laptop hotspot.
3.2 Network Configuration
3.2.1 Check the network information of the laptop
Wireless LAN Adapter WLAN: Connection specific DNS suffix . . . . . . . : Link-local IPv6 address . . . . . . . : fe80::8158:d09:dfd0:cbe5 IPv4 address . . . . . . . . . . . : 192.168.43.168 Subnet mask . . . . . . . . . . . : 255.255.255.0 Default Gateway. . . . . . . . . . . : 192.168.43.1
It needs to be used in the network configuration after kali starts. Kali’s network configuration is detailed in the following blog:
5 minutes to complete Kali linux installation (based on VirtualBox)_virtualbox installation kali_Xiaoxiangzi’s Blog-CSDN Blog
3.2.2 Check the network information of kali, and know that the ip of kali is 192.168.43.209
┌──(root?kali)-[/home/kali]
└─#ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.209 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 fe80::a00:27ff:fe22:464f prefixlen 64 scopeid 0x20<link>
ether 08:00:27:22:46:4f txqueuelen 1000 (Ethernet)
RX packets 53891 bytes 67773851 (64.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19008 bytes 1363876 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4 bytes 240 (240.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 240 (240.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3.2.3 Set the DNS address of the computer to the address of kali
3.3 DNSChef startup, configuration rules, testing
Check if DNSChef is in kali
┌──(root?kali)-[/home/kali]
└─#dnschef
_ _ __
| | version 0.4 | | / _|
__| |_ __ ___ ___| |__ ___| |_
/ _` | '_ \/ __|/ __| '_ \ / _ \ _|
| (_| | | | \__ \ (__| | | | __/ |
\__,_|_| |_|___/\___|_| |_|\___|_|
[email protected]
(21:09:00) [*] DNSChef started on interface: 127.0.0.1
(21:09:00) [*] Using the following nameservers: 8.8.8.8
(21:09:00) [*] No parameters were specified. Running in full proxy mode
^C(21:10:01) [*] DNSChef is shutting down.
We took the urls of two well-known universities in Nanjing for testing. Obtain the IPs of the two schools through wireshak capture (dns answer) when the browser logs in to the school website, as follows
Nanjing University: www.nju.edu.cn 202.119.32.7
Nanjing University of Aeronautics and Astronautics: www.nuaa.edu.cn 218.94.136.180
We match the url of Nanjing University with the ip of Nanjing University of Aeronautics and Astronautics, and write it to the DNS server.
The ip after –interface fills in the ip of kali.
dnschef --fakeip=218.94.136.180 --fakedomains=www.nju.edu.cn --interface 192.168.43.209 -q
Use the browser on the mobile phone Android device to try to enter the URLs of the two universities for testing.
The following format is observed to print, indicating that the DNS setting is successful, and DNSChef will print out the domain name it has processed for analysis. 
Proxing the response of *** indicates that the standard DNS proxy is used, the default is 8.8.8.8, of course, this is configurable.
Cooking the response of ***** indicates that it is the spoofing rule we configured, and we can see that our DNS responded to the url of Nanjing University (www.nju.edu.cn) with the ip of Nanjing University of Aeronautics and Astronautics (218.94. 136.180)
The phenomenon is: the website of Nanjing University of Aeronautics and Astronautics can be opened normally. But the website of Nanjing University could not be opened.
As for why the URL of Nanjing University of Aeronautics and Astronautics is not displayed when we enter the URL of Nanjing University, this may be related to some security policies used by the browser. still not clear.
4. Finally
This article uses the DNSChef tool that comes with kali to do DNS spoofing, and the tool has successfully taken effect.
refer to
The dnschef_dnschef tool of the latest kali does not respond – Vanony’s blog – CSDN blog
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. CS introductory skill tree Introduction to LinuxFirst acquaintance with Linux32252 People are studying systematically