Security Basics mailing list archives
RE: DNS Manipulation via IPTables or other means?
From: "Paul Ryland" <paul () transversal com>
Date: Thu, 23 Nov 2006 12:13:21 -0000
honestly , I have worked with iptables in really complex environments for many years, i never have heard of manipulating dns records on the fly, I don't even think you can do this with string matching since string matching lets you check for a string, not manipulate it. I really wonder why views aren't scalable, maybe there is another solution, I always draw my stuff out on paper (yes REAL paper :)) and visualize it that way, then find easier solution by looking at the picture. Views in Bind are meant for this kind of thing , different access control from different ips give you different results. Would you mind sharing some more info? maybe the amount of views you are handling etc. Maybe someone comes up with a more streamlined idea?
Consider this example, your company wants to provide access to a partner company over an IPSec VPN connection. The servers at both companies are on the same 192.168.1.0/24 network. Your company wants to also forward DNS requests to your partner company's DNS server for lookups involving their internal DNS domain. There are several points worth noting about this setup: i) NAT will have to be used to prevent the two internal networks colliding ii) your partner company's DNS server will be returning addresses on your own network, not on the remote NAT'ed network. ii) you might not be able to request views on your partner company's DNS server iii) it is not a scalable and maintainable solution to provide spoofed zones for your partner company's DNS zones. An ideal solution (as provided by the PIX) is to manipulate the DNS responses from your partner company's DNS server. I've never even bothered trying to set-up a deployment, with these issues, with IPTables --- any pointers as to how to do this with IPTables would be greatly appreciated. Paul
Current thread:
- DNS Manipulation via IPTables or other means? Dan Bogda (Nov 07)
- Re: DNS Manipulation via IPTables or other means? Arthur Fonzarelli (Nov 08)
- Re: DNS Manipulation via IPTables or other means? Florian Rommel (Nov 09)
- RE: DNS Manipulation via IPTables or other means? Paul Ryland (Nov 23)
- Re: DNS Manipulation via IPTables or other means? Patrick Debois (Nov 09)
- Re: DNS Manipulation via IPTables or other means? Florian Rommel (Nov 09)
- <Possible follow-ups>
- Re: Re: DNS Manipulation via IPTables or other means? pksf (Nov 10)
- Re: DNS Manipulation via IPTables or other means? Arthur Fonzarelli (Nov 08)