Split DNS when 53/udp is in use

Say that you’re doing a pentest/RT with one end of a device connected to 4G dongle and the other end connected to the target network via ethernet. In such cases you want the box to fetch updates via 4G and only use the ethernet for the security test. Split DNS tunneling is a solution. However, sometimes you may already have a process bound to port 53/udp that you don’t want to kill (e.g. a C&C server such as CS / MSF). Unfortunately /etc/resolv.conf does not allow you to specify a port on Linux (as far as I’m aware).

The following settings allow you to run dnsmasq on a different port but still work for a local resolver.

Dnsmasq step:

## vim /etc/dnsmasq.conf:

# Set the alternative port
port=5353

# Ignore /etc/resolv.conf
no-resolv

# Upstream DNS for normal traffic
server=192.168.1.1

# Upstream DNS to resolve domain names for the security test
server=/clientnetwork.local/10.0.0.1

Local DNS resolver step:

## vim /etc/resolv.conf:

# Dummy nameserver. Will not be actually queried
nameserver 192.0.2.3

Iptables step:

# Redirect the DNS queries towards the dummy server
# to go to the local dnsmasq instead
iptables -t nat -I OUTPUT --dst 192.0.2.3 \
-p udp --dport 53 -j DNAT --to 127.0.0.1:5353