Skip to content

DNS Honeypot Enterprise Community

The DNS service acts as a DNS proxy: it forwards queries to a real DNS server and logs every query it receives. This makes it useful for detecting reconnaissance, C2 beaconing or any internal host that should not be making DNS lookups.

Configuration

json
"dns": [
  {
    "port": 53,
    "target_dns": "127.0.0.1"
  }
]

Parameters

ParameterTypeDefaultDescription
portinteger(required)UDP/TCP port
target_dnsstring127.0.0.1Upstream resolver that receives proxied queries

Bind address

Set interface in the global config to a concrete IP (not 0.0.0.0) when a local resolver listens on 127.0.0.1. The module expects target_dns to be reachable from the Trapster host.

Forwarding examples

Internal resolver:

json
"dns": [{ "port": 53, "target_dns": "192.168.1.1" }]

Public resolver:

json
"dns": [{ "port": 53, "target_dns": "8.8.8.8" }]

What gets captured

EventFields
Query receivedSource IP, queried domain name, query type (A, AAAA, MX, etc.)

The decoded payload includes the queried name, type, and other DNS fields from the internal decoder.