dnsspoof and bettercap not dns-spoofing

Question

I want to dns spoof my own phone, because I feel like it would be a cool experiment to do. It's not working (damn phone keeps connecting to the internet), and I would really appreciate any suggestions or ideas in how to make it work. I can also work with new tools, if you think that would be better! I also tried making my own router (https://github.com/koenbuyens/kalirouter), but for some reason the DHCP isn't responding to any requests, so I gave that up. If you think I have a better chance at performing DNS spoofing with this, I'll give it another shot and start another post.

---

Experimental Setup:

I have Kali running natively on my computer, and my phone is connected to the wifi hotspot that is deployed on Kali.

About the linux local DNS cache: I checked, and there's no NSCD installed on Kali, thus I don't think it actually stores any local DNS cache; but I don't know how else to check.

In this experiment, I'm using two different tools: bettercap and dnsspoof

Using Bettercap:

What I did, in interactive mode:

1. set dns.spoof.all true

2. dns.spoof on

3. I find a website that I've never accessed with my phone before (thus hoping that the website's IP address isn't cached) and type in the url into my phone

4. Bettercap would show:

   [09:55:31][sys.log][inf][dns] Sending spoofed DNS reply for www.example.org (->12.34.5.78) to ab.cd.ef.12.34.56

   But my phone would still be able to connect to www.example.org.

Is bettercap just too slow at responding to the DNS requests?

Using dnsspoof:

What I did:

1. Created a file, dnsspoof.hosts that includes a list of domains and addresses I want it to be linked to, e.g.:

   127.0.0.1 mail*
127.0.0.1 www*
127.0.0.1 http*
127.0.0.1 https*
127.0.0.1 www.securex.com*
127.0.0.1 bugs.debian.org*

2. Executed command dnsspoof -wlan0 -f dnsspoof.hosts

What happened: I did this a couple of times, each time adding a new website (unaccessed by my phone) in the dnsspoof.hosts file. Sometimes, dns spoofing would work, and an error page would show up when I tried to access that domain name with my phone. Other times, my phone would be directly to the correct IP address and the page would load. If I restart dnsspoof, the website that was dns-spoofed would be accessible again (which is why I had to keep adding new websites).

I suspect that some websites are stored in a dns server that's further away in the hiearchy, which is why bettercap is faster in delivering the dns translation thus dns-spoofing. Which would mean that there are some DNS servers that are closer that are responding faster. Which is still weird, because shouldn't bettercap be the fastest at responding to these DNS requests?