Split DNS when 53/udp is in use

Say that you’re doing a pentest/RT with one end of a device connected to 4G dongle and the other end connected to the target network via ethernet. In such cases you want the box to fetch updates via 4G and only use the ethernet for the security test. Split DNS tunneling is a solution. However, sometimes you may already have a process bound to port 53/udp that you don’t want to kill (e.g. a C&C server such as CS / MSF). Unfortunately /etc/resolv.conf does not allow you to specify a port on Linux (as far as I’m aware).

The following settings allow you to run dnsmasq on a different port but still work for a local resolver.

Dnsmasq step:

## vim /etc/dnsmasq.conf:

# Set the alternative port

# Ignore /etc/resolv.conf

# Upstream DNS for normal traffic

# Upstream DNS to resolve domain names for the security test

Local DNS resolver step:

## vim /etc/resolv.conf:

# Dummy nameserver. Will not be actually queried

Iptables step:

# Redirect the DNS queries towards the dummy server
# to go to the local dnsmasq instead
iptables -t nat -I OUTPUT --dst \
-p udp --dport 53 -j DNAT --to