Sniffing & Spoofingdnsproxyspoofingpenetration-testingmalware-analysis

DNSChef

DNSChef is a highly configurable DNS proxy for penetration testers and malware analysts. It allows faking DNS responses to redirect traffic to local machines for analysis and interception.

Description

DNSChef is a DNS proxy (aka 'Fake DNS') used for application network traffic analysis and other penetration testing purposes. It enables testers to spoof DNS responses, such as redirecting requests for specific domains like 'badguy.com' to a local machine instead of real Internet hosts. This facilitates traffic interception, termination, and detailed examination of network behavior.

The tool is particularly valuable for penetration testers and malware analysts who need fine-grained control over DNS replies. Users can configure which domains receive fake responses and which are proxied to real DNS servers. To utilize DNSChef, the target environment's DNS server must be manually configured or poisoned to point to the DNSChef instance, requiring root privileges for operation on privileged ports.

DNSChef supports both IPv4 and IPv6 spoofing, custom nameservers, and logging capabilities, making it versatile for various testing scenarios.

How It Works

DNSChef operates as a DNS proxy that listens on a specified interface (default 127.0.0.1) and intercepts DNS queries. It matches queries against configured fake domains and responds with spoofed records like custom IP (--fakeip) or IPv6 (--fakeipv6) addresses. Unmatched queries are proxied to specified nameservers (default 8.8.8.8) for legitimate resolution. The tool requires root privileges to bind to port 53 and supports parameters for domain-specific spoofing, true resolution bypasses, and activity logging.

Installation

bash

sudo apt install dnschef

Flags

-h, --helpshow this help message and exit

--fakedomains thesprawl.org,google.comA comma separated list of domain names which will be resolved to FAKE values specified in the above parameters. All other domain names will be resolved to their true values.

--truedomains thesprawl.org,google.comresolved to their TRUE values. All other domain names

--fakeip 192.0.2.1IP address to use for matching DNS queries. If you use this parameter without specifying domain names, then all 'A' queries will be spoofed. Consider using --file argument if you need to define more than one IP address.

--fakeipv6 2001:db8::1IPv6 address to use for matching DNS queries. If you use this parameter without specifying domain names

--logfile FILESpecify a log file to record all activity

--nameservers 8.8.8.8#53 or 4.2.2.1#53#tcp or 2001:4860:4860::8888A comma separated list of alternative DNS servers to use with proxied requests. Nameservers can have either IP or IP#PORT format. A randomly selected server from the list will be used for proxy requests when provided with multiple servers. By default, the tool uses Google's public DNS server 8.8.8.8 when running in

Examples

Starts DNSChef on interface 127.0.0.1 using nameserver 8.8.8.8 in full proxy mode with no parameters specified

dnschef

Displays the help message and usage information for DNSChef

dnschef -h

Spoofs DNS responses for specified fake domains to custom IP values while proxying others to real nameservers

dnschef --fakedomains thesprawl.org,google.com

Resolves specified domains to their true values while potentially spoofing others

dnschef --truedomains thesprawl.org,google.com

Spoofs all 'A' record queries to the specified IP address 192.0.2.1

dnschef --fakeip 192.0.2.1

Spoofs IPv6 AAAA record queries to the specified IPv6 address

dnschef --fakeipv6 2001:db8::1

Uses specified alternative DNS servers for proxied requests, randomly selecting from the list

dnschef --nameservers 8.8.8.8,4.2.2.1

Runs DNSChef and records all activity to the specified log file

dnschef --logfile /var/log/dnschef.log

Updated 2026-04-16kali.org ↗