Spinning local DNS server sourcing responses over HTTPS to combat Man-in-the-middle attack





  • It is close to impossible to use any port other than Port 53 to fetch DNS seamlessly across macOS, Windows, Android or iOS.
  • The DNS protocol does not have any mechanism to avoid being tampered.
  • This makes it very easy for any ISP, intermediary party or hacker to give wrong DNS values. We will be able to tell apart false IPs on HTTPS, but we are totally helpless while getting the correct IPs or safeguarding the services that do not implement SSL.
  • The solution lies by querying the DNS inside our own network, where we are sure of not being MitM'd.

To approach the above, we will be running a DNS Server on our system, and sourcing the replies not by the conventional way of upstreaming it via port 53, but by fetching the DNS information via HTTPS using Google's DNS APIs.

In the attached repo, I have implemented a simple DNS Server written using Twisted. It is based on a Twisted DNSServerFactory, using a custom DNS resolver, which is fetching the DNS by querying dns.google.com over HTTPS, fetching the JSON response, and further translating it to a DNS response to be used locally.


  • Purpose of DNS
  • Familiarity with dig
  • How basic Man in the Middle attack works, and how cryptographic systems beat it
  • What is DNSSEC

Speaker Info:

Arnav is currently working as a Developer at hedgehog lab, Hyderabad. He completed his bachelors from VIT University, Vellore. Having spent half a decade behind the computer screen, he often gives valuable insight into Web Architecture, Network Infrastructure & Security and Hardware. When he is unable to find the most elegant and practical way to approach a solution, he is often found reading and outputting chunks of python code. He also takes out time and enjoys mentoring peers on good coding etiquettes. Rest of the time he is deeply devoted leading his DotA team.

Section: Network Programming
Type: Talks
Target Audience: Intermediate
Last Updated: