Skip to content
DNSSECChef: DNS/DNSSEC Interception Proxy
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


DNSSECChef: DNS/DNSSEC Interception Proxy.

DNSSECChef is a highly configurable DNS and DNSSEC interception proxy for penetration testers and security researchers (based on DNSChef).


macOS & Linux:

Python 2.7.x, plus:

pip install IPy
pip install dnslib

DNSSECChef v0.5 requires dnslib v0.9.10+ available at PyPI, bitbucket or GitHub.

Setting up a DNS Proxy

It is possible to manually and explicitly configure a DNS proxy for differente operating systems, as detailed in the original DNSChef documentation available in the file.

Additionally, it is possible to configure a transparent DNS proxy in Linux using the iptables NAT capabilities, using a set of rules such as the following ones (where eth1 is the network interface connecting to the Internet):

$ sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

$ sudo iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
$ sudo iptables -t nat -A PREROUTING -p tcp --destination-port 53 -j REDIRECT --to-port 53

Usage examples

Default usage, DNS proxy with no DNSSEC specific manipulation:

$ sudo ./ [--file dnssecchef.ini]

Enable DNSSEC flags manipulation in both DNS queries and responses:

$ sudo ./ --dnssec [--file dnssecchef.ini]

Completely remove support for DNSSEC, forcing plain usage of DNS:

$ sudo ./ --nodnssec [--file dnssecchef.ini]

For more examples and usage details, including all the capabilities previously available in DNSChef, please refer to the original DNSChef documentation available in the file.

Example configuration file

See dnssecchef.ini for an example configuration file.

Release History

  • 0.5
    • First public version (released during the X Anniversary at RootedCON 2019).


  • Monica Salas and Raul Siles - (c) 2019 DinoSec

DNSSECChef is based on the highly customizable dnschef, version 0.3, by Peter Kacherginsky (iphelix), and it also uses the excellent dnslib library, version 0.9.10+, by Paul Chakravarti.


Distributed under the BSD-3-Clause license (like the original DNSChef). See LICENSE for more information.

You can’t perform that action at this time.