Description

Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use GUI. As a phony DNS server, Mandiant ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. Mandiant ApateDNS also automatically sets the local DNS to localhost. Upon exiting the tool, it sets back the original local DNS settings.

Installation

• Prerequisite: .Net framework ≥2
• Link: http://www.mandiant.com/assets/ApateDNS.zip
• Supported Operating Systems:
  • Windows 2000
  • Windows 2003
  • Windows XP
  • Windows 2008
  • Windows Vista
  • Windows 7 (32-bit and 64-bit)

Usage

1. Use the DNS Reply IP field to either use the loopback address (127.0.0.1) or another DNS server.
2. Click on the Start Server button
3. The capture window on top will show DNS requests
4. You can switch to the DNS Hex View tab to view the DNS request as hex, which might be convenient to analyze non-compliant DNS requests
5. Click on the Stop Server button to stop the server.

You can track non-existing domains using the # of NXDOMAIN's field. It can be convenient to list still active domains in case of malware relying on multiple C&C's.