DNS spoofing


DNS is not multicast or broadcast like LLMNR, NBT-NS or mDNS. In order to answer DNS requests, attacker first need to receive them. For instance, this can be achieved with ARP spoofing or DHCPv6 spoofing. DNS spoofing is basically setting up a DNS server and answering DNS queries obtained through man-in-the-middle technique.


โ€‹Responder's (Python) DNS server feature can be used to answer DNS queries.
responder --interface "eth0"
responder -I "eth0"
โ€‹dnschef (Python) can be used as a DNS server.
dnschef --fakeip 'Pentest_IP_Address' --interface 'Pentest_IP_Address' --port 53 --logfile dnschef.log
In order to spoof DNS requests, bettercap (Go) can be used. This tool can also be used for the first step of ARP spoofing or DHCPv6 spoofing.
set dns.spoof.domains $DOMAIN_FQDN
set dns.spoof.all true
dns.spoof on


dns.spoof :: bettercap
Copy link