How To: DNS spoofing with a simple DNS server using Dnsmasq

The Domain Name System (DNS) is one of the fundamental services of the Internet. By resolving domain names to IP addresses, it makes routing of IP packets possible and thereby lets browsers and other clients connect to remote servers using all kinds of protocols. By blindly connecting to the IP address returned by the DNS server, however, users put a lot of trust into DNS, because by default, DNS responses are not validated or verified.
In this blog post, I’d like to demonstrate how to easily set up a DNS server that allows you to easily forge certain entries manually — thereby allowing you to either block certain domains from your network or to pretend that you are a certain website. This scenario is commonly referred to as DNS forgery or DNS spoofing.


1. Why forge DNS entries?

DNS is responsible for managing the Internet’s namespace of domains by translating domain names into IP addresses. Even though it sounds like a very simple task, this translation carries a great responsibility because it is an essential step to make communication between most machines even possible. Before a machine can connect to another machine and start the actual communication, a DNS request must resolve the name of the destination machine. In short, before you can connect to “”, you first need to know its IP address.
And because machines blindly connect to the IP address returned by the DNS server, being able to forge specific (or all) of its entries means that the client connects to a different server – i.e. the connection is rerouted to a destination of your choice.

There are multiple reasons for wanting to reroute traffic. The two most prominent ones are to block access to a site or service, or to eavesdrop the connection using a man-in-the-middle attack (MITM).

  • Blocking sites: Especially in the last couple of years, many governments all over the world have used DNS forgery/spoofing to block access to various kind of Internet content (e.g. social networks, political/religious content, pornography, piracy sites, etc.). And although blocking on DNS-level is pointless (using a different DNS server circumvents the blockage), it’s very easy to implement (as shown in this post) and is hence often used.
  • Eavesdropping the connection (MITM): Rerouting all IP packets to a certain machine makes it possible to eavesdrop on the connection by listening local network interface. Using tools like Wireshark, mitmproxy (see mitmproxy tutorial here) or SSLsplit (see SSLsplit tutorial here), this can be done without much effort — for both plain text protocols (HTTP, SMTP, etc.) as well as SSL-based requests (HTTPS, etc.).


2. Forge DNS entries with Dnsmasq

The scenario described in this tutorial uses the very tiny DNS server Dnsmasq to forge DNS entries. In short, the following steps will show you how to set up Dnsmasq and configure it to forward all DNS requests to Google’s DNS server — except the ones that you’d like to forge.
Once Dnsmasq is installed and running, clients must be told to use this DNS server to resolve IP addresses. This can be done by changing the router configuration or the network settings of the operating system or mobile device.

2.1. Download and install Dnsmasq

On some systems, Dnsmasq is already installed and running by default as a local DNS server (for caching puposes). If not, you first need to download and install Dnsmasq. You can do that in Ubuntu/Debian using apt-get like this.

2.2. Configure Dnsmasq

Dnsmasq stores it’s configuration in /etc/dnsmasq.conf and reads the file on startup. By default, the file does not exist and Dnsmasq simply uses the default settings when run.
The first step is to create or modify this file and add the following lines:

These four config lines tell Dnsmasq to use Google’s DNS server (with IP address as upstream server if a request cannot be answered and lookup local DNS entries in /etc/dnsmasq.hosts instead of the normal location at /etc/hosts. The first line tells Dnsmasq to not start a DHCP interface, because it’s simply not necessary for this example.

2.3. Add forged DNS entries

The above config file tells Dnsmasq to look in /etc/dnsmasq.hosts to check for all entries it is (or feels) responsible for. By default, this file does not exist and needs to be created:

The format of the file is very simple and identical to the /etc/hosts file: Each line contains an IP address and (separated by spaces or tabs) one or many corresponding domains. Any request to “www.any.domain”, for instance, would be resolved to “″.

2.4. Test and run server

Having created the two config files from above, Dnsmasq can now be run or restarted. The easiest way is to simply kill it, and then restart it. For test purposes, the options --no-daemon (debug mode, don’t fork to background) and --log-queries (log requests to STDOUT) are probably the best options:

To locally test that Dnsmasq returns the correct, i.e. the forged, result, you can either use the host utility or dig. Here is an example with dig.

The example above tells dig to use as DNS server (the machine on which Dnsmasq is running) and only return a short response (+short option, no comments) for the domain “”, and “” in the second call.
As desired, Dnsmasq returns the IP address for “”, even though the real domain points to (at least at the time of writing). The IP addresses for “”, however, are real and come from the upstream DNS server specified in the Dnsmasq config (

The Dnsmasq STDOUT output resembles exactly that (see above). The first request is found locally in /etc/dnsmasq.hosts, but the second request is forwarded to the upstream server.
Once you are sure that your DNS server works, you can start it without any command line options (simply dnsmasq), and it will run in the background, answering DNS queries to any machine that asks.

2.5. Change router/client DNS server

For your local network clients (such as your phone or laptop) to use the DNS server, however, you can either change each individual device’s network settings, or simply adjust your local router’s settings.

3. Possible usages

DNS spoofing can be used in many possible ways — unfortunately none of them can be used for anything good. The following two of sections explain the two most common usages.

3.1. Phishing/malicious websites

DNS spoofing can be easily used to create phishing sites or any other kind of malicious websites. Especially for purely HTTP-based websites (not HTTPS, see below), a browser will not know the difference between the real site and the site delivered by any other web server.
All that needs to be done is to set up a web server on the machine with the IP address that answers to the target hostname. So, continuing the example from above, if the target hostname was “” and the forged DNS entry returned “″, the machine with this IP address needs to set up a virtual host to answer HTTP request for “”. For the Apache web server, a virtual host configuration would look something like this:

If a browser client now goes to “”, the DNS response will say “″ and the browser will connect to that IP address, asking for “” in the HTTP request:

And because the Apache configuration is set up to answer to that virtual host, the web site and scripts residing in “/srv/www/fakebook/public_html” will be delivered to the client. The Apache access log will say something like this:

And for the client, it will look something like this:

This scenario obviously only works for HTTP and assumes that the DNS server with the spoofed entries is used. For HTTPS requests or any other SSL-based protocols, this method will not work, because the web server cannot deliver a valid CA-signed certificate to the client which will lead to a certificate error in the browser. To break HTTPS so that the client does not realize it, a man-in-the middle attack is necessary (see below, or my post about how to sniff into HTTPS connections).

3.2. Blocking content / Internet censorship

Another possible usage of DNS spoofing is the blocking/filtering/censoring of content for Internet users. From a technical perspective, the setup for DNS-based content filtering is exactly the same as for the phishing sites (see above), however, the intention is very different: While phishing/malicious sites typically try to trick to user by delivering a very similar site to the one expected, the strategy of DNS blocking aims to prevent users from accessing certain content, such as piracy sites, pornography or religious/political sites.

About four years ago (2009 – 2011), Germany almost passed a law would have forced ISPs to use DNS blocking to prevent users from accessing child pornography sites. The image above shows the “stop” sign that users would have seen when trying to access such a site. In December 2011, the law was ultimately repealed.

DNS blocking is typically used in large corporations or countries. And although it is very easy to circumvent by using a different DNS server, it is widely popular due to its easy setup.

3.3. Man-in-the-middle attacks

Being able to steer user communication in your directions makes it possible to listen in on the connections by using tools such as Wireshark (many protocols) or tcpdump for unencrypted connections, and mitmproxy (HTTPS only) or sslplit (any SSL/TCP) for encrypted connections.
Depending on what tool it is, it might be possible to either just monitor traffic on a specific network interface, or even alter requests and responses on the fly. If you’re interested, check out my tutorial on how to use mitmproxy to read and modify HTTPS traffic.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s