DNSSECChef: DNS/DNSSEC Interception Proxy.
DNSSECChef is a highly configurable DNS and DNSSEC interception proxy for penetration testers and security researchers (based on DNSChef).
macOS & Linux:
Python 2.7.x, plus:
pip install IPy pip install dnslib
Setting up a DNS Proxy
It is possible to manually and explicitly configure a DNS proxy for differente operating systems, as detailed in the original DNSChef documentation available in the DNSChef.documentation.md file.
Additionally, it is possible to configure a transparent DNS proxy in Linux using the
NAT capabilities, using a set of rules such as the following ones (where
the network interface connecting to the Internet):
$ sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE $ sudo iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53 $ sudo iptables -t nat -A PREROUTING -p tcp --destination-port 53 -j REDIRECT --to-port 53
Default usage, DNS proxy with no DNSSEC specific manipulation:
$ sudo ./dnssecchef.py [--file dnssecchef.ini]
Enable DNSSEC flags manipulation in both DNS queries and responses:
$ sudo ./dnssecchef.py --dnssec [--file dnssecchef.ini]
Completely remove support for DNSSEC, forcing plain usage of DNS:
$ sudo ./dnssecchef.py --nodnssec [--file dnssecchef.ini]
For more examples and usage details, including all the capabilities previously available in DNSChef, please refer to the original DNSChef documentation available in the DNSChef.documentation.md file.
Example configuration file
See dnssecchef.ini for an example configuration file.
- First public version (released during the X Anniversary at RootedCON 2019).
- Monica Salas and Raul Siles - (c) 2019 DinoSec
Distributed under the BSD-3-Clause license (like the original DNSChef). See LICENSE for more information.