SPOOFDNS
The SPOOFDNS command overrides DNS queries via packet injection, allowing a Packet Squirrel to manipulate network behavior in NAT, BRIDGE or TRANSPARENT modes.
The SPOOFDNS command overrides DNS queries via packet injection, allowing a Packet Squirrel to manipulate DNS queries even in BRIDGE or TRANSPARENT modes. Hostnames can be matched by plain names or regular expression.
Regular expressions can be difficult, but powerful. They allow matching complex patterns in a hostname. Sites such as https://regex101.com/ can help explore the power of regular expressions.
SPOOFDNS uses the ECMASCRIPT regular expression flavor.
Limitations
The SPOOFDNS tool is able to manipulate the traditional UDP-based DNS which is still in common use. It is not able to manipulate DNS-over-HTTPS.
Options
The SPOOFDNS command expects several options:
Interface
SPOOFDNS requires a network interface. Typically on the Packet Squirrel this is br-lan, the virtual interface which connects the Ethernet ports.
Hosts and IP addresses
SPOOFDNS can match any number of hosts.
Hosts can be full hostnames or regular expressions. SPOOFDNS uses the ECMASCRIPT regular expression flavor.
An IP address can be either IPv4 or IPv6. For IPv4 addresses, SPOOFDNS will override A record queries, and for IPv6 addresses, it will override AAAA queries.
SPOOFDNS will detect the type of IP address used automatically, and generate the appropriate A or AAAA response.
When using regular expressions to match hostnames, the match should always be enclosed in quotes:
Multiple hostname matches can be provided, and they will be matched in the order listed.
Always put the most general matches at the end!
For example:
This example will resolve logon.example.com to the IPv4 address 1.2.3.4, v6.example.com to the IPv6 localhost address ::1, and all other hosts in example.com to the IPv4 localhost 127.0.0.1 address.
Examples
The SPOOFDNS command can be used as part of a payload to redirect or sinkhole DNS queries:
Last updated