Professional Documents
Culture Documents
XYZ/ABOUT/)
PAPERS (HTTPS://BLOG.HECKEL.XYZ/PAPERS/)
PROJECTS (HTTPS://BLOG.HECKEL.XYZ/PROJECTS/)
My nameMAP
TRAVEL is Philipp C. Heckel and I write about nerdy things.
(HTTPS://BLOG.HECKEL.XYZ/TRAVEL-MAP/)
This site moved here recently from blog.philippheckel.com!
Stay connected
USING DNSMASQ
(http://blog.heckel.xyz/)
Jul 18 / 2013
10 (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-a-simple-dns-server-using-
dnsmasq/#comments)
DNS (https://blog.heckel.xyz/tag/dns/), Dnsmasq (https://blog.heckel.xyz/tag/dnsmasq/), Security
(https://blog.heckel.xyz/tag/security/)
ADMINISTRATION
(HTTPS://BLOG.HECKEL.XYZ/CATEGORY/ADMINISTRATION/), LINUX
(HTTPS://BLOG.HECKEL.XYZ/CATEGORY/LINUX/), SECURITY
(HTTPS://BLOG.HECKEL.XYZ/CATEGORY/SECURITY/)
In this blog post, I’d like to demonstrate how to easily set up a DNS server that allows you to easily
forge certain entries manually — thereby allowing you to either block certain domains from your
network or to pretend that you are a certain website. This scenario is commonly referred to as DNS
forgery or DNS spoo耂ng (https://en.wikipedia.org/wiki/DNS_spoo耂ng).
Contents
1. Why forge DNS entries? (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-a-simple-
dns-server-using-dnsmasq/#Why-forge-DNS-entries)
2. Forge DNS entries with Dnsmasq (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-
a-simple-dns-server-using-dnsmasq/#Forge-DNS-entries-with-Dnsmasq)
2.1. Download and install Dnsmasq (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-
with-a-simple-dns-server-using-dnsmasq/#Download-and-install-Dnsmasq)
2.2. Con耂gure Dnsmasq (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-a-
simple-dns-server-using-dnsmasq/#Con耂gure-Dnsmasq)
2.3. Add forged DNS entries (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-a-
simple-dns-server-using-dnsmasq/#Add-forged-DNS-entries)
2.4. Test and run server (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-a-
simple-dns-server-using-dnsmasq/#Test-and-run-server)
2.5. Change router/client DNS server (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-
with-a-simple-dns-server-using-dnsmasq/#Change-router-client-DNS-server)
3. Possible usages (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-a-simple-dns-
server-using-dnsmasq/#Possible-usages)
3.1. Phishing/malicious websites (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-
a-simple-dns-server-using-dnsmasq/#Phishing-malicious-websites)
3.2. Blocking content / Internet censorship (https://blog.heckel.xyz/2013/07/18/how-to-dns-
spoo耂ng-with-a-simple-dns-server-using-dnsmasq/#Blocking-content-Internet-censorship)
3.3. Man-in-the-middle attacks (https://blog.heckel.xyz/2013/07/18/how-to-dns-spoo耂ng-with-
a-simple-dns-server-using-dnsmasq/#Man-in-the-middle-attacks)
DNS is responsible for managing the Internet’s namespace of domains by translating domain names
into IP addresses. Even though it sounds like a very simple task, this translation carries a great
responsibility because it is an essential step to make communication between most machines even
possible. Before a machine can connect to another machine and start the actual communication, a DNS
request must resolve the name of the destination machine. In short, before you can connect to
“example.com”, you 耂rst need to know its IP address.
And because machines blindly connect to the IP address returned by the DNS server, being able to
forge speci耂c (or all) of its entries means that the client connects to a di耂erent server – i.e. the
connection is rerouted to a destination of your choice.
There are multiple reasons for wanting to reroute tra耂c. The two most prominent ones are to block
access to a site or service, or to eavesdrop the connection using a man-in-the-middle attack
(https://en.wikipedia.org/wiki/Man-in-the-middle_attack) (MITM).
Blocking sites: Especially in the last couple of years, many governments all over the world have
used DNS forgery/spoo耂ng to block access to various kind of Internet content (e.g. social
networks, political/religious content, pornography, piracy sites, etc.). And although blocking on
DNS-level is pointless (using a di耂erent DNS server circumvents the blockage), it’s very easy to
implement (as shown in this post) and is hence often used.
Eavesdropping the connection (MITM): Rerouting all IP packets to a certain machine makes it
possible to eavesdrop on the connection by listening local network interface. Using tools like
Wireshark (https://www.wireshark.org/), mitmproxy (http://mitmproxy.org/) (see mitmproxy
tutorial here (/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-tra耂c-of-
your-phone/)) or SSLsplit (http://www.roe.ch/SSLsplit) (see SSLsplit tutorial here
(/2013/08/04/use-sslsplit-to-transparently-sni耂-tls-ssl-connections/)), this can be done
without much e耂ort — for both plain text protocols (HTTP, SMTP, etc.) as well as SSL-based
requests (HTTPS, etc.).
The scenario described in this tutorial uses the very tiny DNS server Dnsmasq
(http://www.thekelleys.org.uk/dnsmasq/doc.html) to forge DNS entries. In short, the following steps
will show you how to set up Dnsmasq and con耂gure it to forward all DNS requests to Google’s DNS
server — except the ones that you’d like to forge.
Once Dnsmasq is installed and running, clients must be told to use this DNS server to resolve IP
addresses. This can be done by changing the router con耂guration or the network settings of the
operating system or mobile device.
On some systems, Dnsmasq is already installed and running by default as a local DNS server (for
caching puposes). If not, you 耂rst need to download and install Dnsmasq. You can do that in
Ubuntu/Debian using apt-get like this.
Shell
1 apt‐get install dnsmasq‐base
Dnsmasq stores it’s con耂guration in /etc/dnsmasq.conf and reads the 耂le on startup. By default, the
耂le does not exist and Dnsmasq simply uses the default settings when run.
The 耂rst step is to create or modify this 耂le and add the following lines:
Create /etc/dnsmasq.conf with the following contents
1 no‐dhcp‐interface=
2 server=8.8.8.8
3
4 no‐hosts
5 addn‐hosts=/etc/dnsmasq.hosts
These four con耂g lines tell Dnsmasq to use Google’s DNS server (with IP address 8.8.8.8) as upstream
server if a request cannot be answered and lookup local DNS entries in /etc/dnsmasq.hosts instead of
the normal location at /etc/hosts . The 耂rst line tells Dnsmasq to not start a DHCP interface, because
it’s simply not necessary for this example.
The above con耂g 耂le tells Dnsmasq to look in /etc/dnsmasq.hosts to check for all entries it is (or feels)
responsible for. By default, this 耂le does not exist and needs to be created:
Create /etc/dnsmasq.hosts and add forged entries
1 192.168.1.99 www.facebook.com
2 192.168.1.98 www.microsoft.com microsoft.com
3 192.168.1.97 www.any.domain any.domain
The format of the 耂le is very simple and identical to the /etc/hosts 耂le: Each line contains an IP
address and (separated by spaces or tabs) one or many corresponding domains. Any request to
“www.any.domain”, for instance, would be resolved to “192.168.1.97”.
Having created the two con耂g 耂les from above, Dnsmasq can now be run or restarted. The easiest way
is to simply kill it, and then restart it. For test purposes, the options ‐‐no‐daemon (debug mode, don’t
fork to background) and ‐‐log‐queries (log requests to STDOUT) are probably the best options:
Shell
1 killall ‐9 dnsmasq
2 dnsmasq ‐‐no‐daemon ‐‐log‐queries
To locally test that Dnsmasq returns the correct, i.e. the forged, result, you can either use the host
utility or dig . Here is an example with dig .
Shell
1 $ dig @192.168.178.28 +short www.facebook.com
2 192.168.1.99
3
4 $ dig @192.168.178.28 +short www.google.com
5 173.194.70.99
6 173.194.70.105
7 173.194.70.147
8 173.194.70.106
9 173.194.70.103
10 173.194.70.104
The example above tells dig to use 192.168.178.28 as DNS server (the machine on which Dnsmasq is
running) and only return a short response ( +short option, no comments) for the domain
“www.facebook.com”, and “www.google.com” in the second call.
As desired, Dnsmasq returns the IP address 192.168.1.99 for “www.facebook.com”, even though the
real domain points to 31.13.81.33 (at least at the time of writing). The IP addresses for
“www.google.com”, however, are real and come from the upstream DNS server speci耂ed in the
Dnsmasq con耂g (8.8.8.8).
Shell
1 $ dnsmasq ‐‐no‐daemon ‐‐log‐queries
2 dnsmasq: started, version 2.63rc6 cachesize 150
3 dnsmasq: compile time options: IPv6 GNU‐getopt DBus i18n IDN DHCP DHCPv6 no‐Lua TFTP conntrack
4 dnsmasq: using nameserver 8.8.8.8#53
5 dnsmasq: read /etc/dnsmasq.hosts ‐ 1 addresses
6 dnsmasq: query[A] www.facebook.com from 192.168.178.20
7 dnsmasq: /etc/dnsmasq.hosts www.facebook.com is 192.168.1.99
8 dnsmasq: query[A] www.google.com from 192.168.178.20
9 dnsmasq: forwarded www.google.com to 8.8.8.8
10 dnsmasq: reply www.google.com is 173.194.70.99
11 dnsmasq: reply www.google.com is 173.194.70.105
12 dnsmasq: reply www.google.com is 173.194.70.147
13 dnsmasq: reply www.google.com is 173.194.70.106
14 dnsmasq: reply www.google.com is 173.194.70.103
15 dnsmasq: reply www.google.com is 173.194.70.104
16 ...
The Dnsmasq STDOUT output resembles exactly that (see above). The 耂rst request is found locally in
/etc/dnsmasq.hosts , but the second request is forwarded to the upstream server.
Once you are sure that your DNS server works, you can start it without any command line options
(simply dnsmasq ), and it will run in the background, answering DNS queries to any machine that asks.
For your local network clients (such as your phone or laptop) to use the DNS server, however, you can
either change each individual device’s network settings, or simply adjust your local router’s settings.
3. Possible usages
DNS spoo耂ng can be used in many possible ways — unfortunately none of them can be used for
anything good. The following two of sections explain the two most common usages.
All that needs to be done is to set up a web server on the machine with the IP address that answers to
the target hostname. So, continuing the example from above, if the target hostname was
“www.facebook.com” and the forged DNS entry returned “192.168.1.99”, the machine with this IP
address needs to set up a virtual host to answer HTTP request for “www.facebook.com”. For the
Apache web server (https://httpd.apache.org/), a virtual host con耂guration
(http://httpd.apache.org/docs/current/vhosts/examples.html) would look something like this:
1 <VirtualHost *:80>
2 DocumentRoot "/srv/www/fakebook/public_html"
3 ServerName www.facebook.com
4 ...
5 </VirtualHost>
If a browser client now goes to “www.facebook.com”, the DNS response will say “192.168.1.99” and the
browser will connect to that IP address, asking for “www.facebook.com” in the HTTP request:
1 GET / HTTP/1.1
2 Host: www.facebook.com
3 ...
And because the Apache con耂guration is set up to answer to that virtual host, the web site and scripts
residing in “/srv/www/fakebook/public_html” will be delivered to the client. The Apache access log will
say something like this:
1 www.facebook.com:80 192.168.178.20 ‐ ‐ [21/Jul/2013:20:53:12 +0200]
2 "GET / HTTP/1.1" 200 315 "‐" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML,
3 like Gecko) Chrome/27.0.1453.93 Safari/537.36"
Another possible usage of DNS spoo耂ng is the blocking/耂ltering/censoring of content for Internet
users. From a technical perspective, the setup for DNS-based content 耂ltering is exactly the same as
for the phishing sites (see above), however, the intention is very di耂erent: While phishing/malicious
sites typically try to trick to user by delivering a very similar site to the one expected, the strategy of
DNS blocking aims to prevent users from accessing certain content, such as piracy sites, pornography
or religious/political sites.
(https://dqtpg127g2l9y.cloudfront.net/wp-
content/uploads/2013/07/stopschild.jpg)
Example: About four years ago (2009 – 2011), Germany almost passed a law would have forced ISPs to use DNS
blocking to prevent users from accessing child pornography sites. The image above shows the “stop” sign that users
would have seen when trying to access such a site. In December 2011, the law was ultimately repealed.
DNS blocking is typically used in large corporations or countries. And although it is very easy to
circumvent by using a di耂erent DNS server, it is widely popular due to its easy setup.
3.3. Man-in-the-middle attacks
Being able to steer user communication in your directions makes it possible to listen in on the
connections by using tools such as Wireshark (http://www.wireshark.org/) (many protocols) or
tcpdump (http://www.tcpdump.org/) for unencrypted connections, and mitmproxy
(http://mitmproxy.org/) (HTTPS only) or sslplit (http://www.roe.ch/SSLsplit) (any SSL/TCP) for
encrypted connections.
Depending on what tool it is, it might be possible to either just monitor tra耂c on a speci耂c network
interface, or even alter requests and responses on the 耂y. If you’re interested, check out my tutorial on
how to use mitmproxy to read and modify HTTPS tra耂c (
http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-
tra耂c-of-your-phone/).
10 COMMENTS
Another benign usage is to redirect LAN clients to internal services (that also have
an external name that would resolve to an external IP that might not be reachable
from inside the network due to router/NAT issues, or that it would be ine耂cient
to send out to the router only to turn it back to your servers) or to also resolve
internal names only available in your Intranet or VPN (maybe if you have your AD
tree as a subdomain of a public DNS).
What a superb and well written article! In recent weeks I have spent hours
researching how to make a raspberrypi wireless server that will direct any and all
user tra耂c to the index page of my website hosted on the raspberrypi.
While I have not yet fully achieved my goal I am very close and reading your
article taught me more about dnsmasq in 20 mins than from the hours of reading
other articles.
Written in a very concise yet easy to follow style your article is a pleasure to read.
Many thanks for posting.
Regards,
Des.
for this to actually be “malicious” you need to pose your DNS server as another
DNS server, which the victim uses. else this is just child play. another way of
providing making a positive use of this, on which i’m working on, is to set up
dnsmasq on a ddwrt gateway router, to actually block a list of phishing/amlware
domains by sending them to 127.0.0.1.
I have one question regarding dnsmasq. When i use dns masq for blocking all
websites and allow few it just blocks my local network also. So no network
browsing.. so please help me in this
I’d like to argue against “DNS spoo耂ng can be used in many possible ways —
unfortunately none of them can be used for anything good.” I’m using your
technique on my DNSmasq system to intercept the multiple requests my iOS
devices make on the Apple ntp server, re-directing them all to my own ntp server
(a GPS-kitted Raspberry Pi). Saves bandwidth, less o耂set, less jitter – all good :-)
LEAVE A COMMENT
I'd very much like to hear what you think of this post. Feel free to leave a comment. I usually respond
within a day or two, sometimes even faster. I will not share or publish your e-mail address anywhere.
NAME*
EMAIL*
WEBSITE
COMMENT*
COMMENT
ABOUT ME
POPULAR POSTS
(https://blog.heckel.xyz/2008/05/16/roundcube-login-via-php-script/)
Roundcube login via PHP script (https://blog.heckel.xyz/2008/05/16/roundcube-
login-via-php-script/) (208)
(https://blog.heckel.xyz/2013/07/07/send-whatsapp-messages-via-php-script-
using-whatsapi/)
Send WhatsApp messages via PHP using WhatsAPI
(https://blog.heckel.xyz/2013/07/07/send-whatsapp-messages-via-php-script-
using-whatsapi/) (156)
(https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-
modify-https-tra耂c-of-your-phone/)
How To: Use mitmproxy to read and modify HTTPS tra耂c
(https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-
modify-https-tra耂c-of-your-phone/) (60)
(https://blog.heckel.xyz/2013/07/05/how-to-sni耂-the-whatsapp-password-
from-your-android-phone-or-iphone/)
How To: Sni耂 the WhatsApp password from your Android phone or iPhone
(https://blog.heckel.xyz/2013/07/05/how-to-sni耂-the-whatsapp-password-
from-your-android-phone-or-iphone/) (59)
(https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sni耂-tls-ssl-
connections/)
Use SSLsplit to transparently sni耂 TLS/SSL connections - including non-HTTP(S)
protocols (https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-
sni耂-tls-ssl-connections/) (55)
ARCHIVES
ADVERTISEMENT
CATEGORIES
RECENT COMMENTS
LINKS