# SPOOFDNS The `SPOOFDNS` command overrides DNS queries via packet injection, allowing a Packet Squirrel to manipulate network behavior in `NAT`, `BRIDGE` or `TRANSPARENT` modes. The `SPOOFDNS` command overrides DNS queries via packet injection, allowing a Packet Squirrel to manipulate DNS queries even in `BRIDGE` or `TRANSPARENT` modes. Hostnames can be matched by plain names or [regular expression](https://regex101.com/). {% hint style="info" %} Regular expressions can be difficult, but powerful. They allow matching complex patterns in a hostname. Sites such as can help explore the power of regular expressions. `SPOOFDNS` uses the `ECMASCRIPT` regular expression flavor. {% endhint %} ## Limitations The `SPOOFDNS` tool is able to manipulate the traditional UDP-based DNS which is still in common use. It is not able to manipulate DNS-over-HTTPS. ## Options The `SPOOFDNS` command expects several options: ``` SPOOFDNS [interface] [host1=ip1] ... [hostN=ipN] ``` ### Interface `SPOOFDNS` requires a network interface. Typically on the Packet Squirrel this is `br-lan`, the virtual interface which connects the Ethernet ports. ### Hosts and IP addresses `SPOOFDNS` can match any number of hosts. Hosts can be full hostnames or regular expressions. `SPOOFDNS` uses the `ECMASCRIPT` regular expression flavor. An IP address can be either IPv4 or IPv6. For IPv4 addresses, `SPOOFDNS` will override `A` record queries, and for IPv6 addresses, it will override `AAAA` queries. `SPOOFDNS` will detect the type of IP address used automatically, and generate the appropriate `A` or `AAAA` response. When using regular expressions to match hostnames, the match should always be enclosed in quotes: ``` SPOOFDNS br-lan '.*.example.com=127.0.0.1' ``` Multiple hostname matches can be provided, and they will be matched in the order listed. Always put the most general matches at the end! For example: ``` SPOOFDNS br-lan \ 'logon.example.com=1.2.3.4' \ 'v6.example.com=::1' \ '.*.example.com=127.0.0.1' ``` This example will resolve `logon.example.com` to the IPv4 address `1.2.3.4`, `v6.example.com` to the IPv6 localhost address `::1`, and all other hosts in `example.com` to the IPv4 localhost `127.0.0.1` address. ## Examples The `SPOOFDNS` command can be used as part of a payload to redirect or sinkhole DNS queries: ```bash #!/bin/bash # Title: DNS Sinkhole # # Description: Demonstrate sinkholing a DNS domain (hak5.org) # This payload will intercept any requests for a *.hak5.org domain # and redirect them to localhost (127.0.0.1 for IPv4 or ::1 for IPv6) NETMODE BRIDGE LED R SINGLE SPOOFDNS br-lan '.*.hak5.org=127.0.0.1' 'hak5.org=127.0.0.1' '.*.hak5.org=::1' 'hak5.org=::1' ```