DNS Honeypot Enterprise Community
The DNS service acts as a DNS proxy: it forwards queries to a real DNS server and logs every query it receives. This makes it useful for detecting reconnaissance, C2 beaconing or any internal host that should not be making DNS lookups.
Configuration
json
"dns": [
{
"port": 53,
"target_dns": "127.0.0.1"
}
]Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
port | integer | (required) | UDP/TCP port |
target_dns | string | 127.0.0.1 | Upstream resolver that receives proxied queries |
Bind address
Set interface in the global config to a concrete IP (not 0.0.0.0) when a local resolver listens on 127.0.0.1. The module expects target_dns to be reachable from the Trapster host.
Forwarding examples
Internal resolver:
json
"dns": [{ "port": 53, "target_dns": "192.168.1.1" }]Public resolver:
json
"dns": [{ "port": 53, "target_dns": "8.8.8.8" }]What gets captured
| Event | Fields |
|---|---|
| Query received | Source IP, queried domain name, query type (A, AAAA, MX, etc.) |
The decoded payload includes the queried name, type, and other DNS fields from the internal decoder.
