Re: DNS Manipulation via IPTables or other means?



You might use the BIND view functionality

http://www.zytrax.com/books/dns/ch7/view.html

Arthur Fonzarelli wrote:
Hmm. Not sure about iptables. I nwhat way is BIND not scalable --
have you tried
djbdns ? it has a similar feature that allows for wildcarding and
catchalls -- its also much more
secure than BIND

On 11/6/06, Dan Bogda <dan.bogda@xxxxxxxxxxx> wrote:
Guys,
Sorry to cross post, but I'm looking to see if an IPTables solution
exists for NATing DNS responses? I thought I could alter DNS responses
with IPTables, but I can't find any reference to this. Does this
functionality exist natively or via a plug in module? Otherwise, does
anyone have any other suggestions?

I have details of the problem below. I am looking for a network based
solution so that the hosts don't need to be updated. I only need to
update a handful of IP addresses and would like to focus there. I am
currently running multiple views inside of BIND to provide an internal
and external copy of each zone file, however this is not scalable.

Thanks,
Dan


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Dan Bogda
Sent: Thursday, November 02, 2006 9:25 PM
To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx
Subject: DNS Manipulation

Guys,
I have segmented security zones that need to access the same devices,
but via different NAT addresses. I am looking to manipulate the DNS
responses from my BIND server and ideally I only want to affect DNS
responses that contain the handful of addresses I am NAT'ing. I first
started building this out with multiple views within BIND with a script
to do conversion from the external to internal view, based on my list of
NAT'd IPs, but as time progresses this doesn't seem too scalable. I am
also unable to do the conversion on my firewalls due to the placement of
the NAT operation.

Ideally, I need a solution I can implement on my DNS server and I can
control with access-lists or source filtering. I had considered running
multiple instances of BIND, bound to separate IPs/Ports, but I would
prefer to find a simpler solution if I can. I thought there was an
IPTables module I can load to manipulate DNS response data, but I
haven't been able to find any reference of it yet.

Here's where I need your help:

1. Does a DNS, binary or other module exist for IPTables to manipulate
DNS response data?

2. Has anyone done something similar and would like to share their
solution?

3. Does anyone have any other suggestions, approaches I haven't
considered?


Thanks in advance!
Dan


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------

This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------

This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: DNS Manipulation via IPTables or other means?
    ... Not sure about iptables. ... I nwhat way is BIND not scalable -- ... I thought I could alter DNS responses ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
    (Security-Basics)
  • [Fwd: Re: Pix to ASA migration]
    ... You have to have to the inspect turned for DNS or it won't work. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ... education and the case study affords you unmatched consulting experience. ...
    (Security-Basics)
  • R: [Fwd: Re: Pix to ASA migration]
    ... It could be quite a cause because of other protocols or because of the ips, ... not because of dns, not in normal condition. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • Re: DNS Manipulation
    ... Conversation: DNS Manipulation ... IPTables module I can load to manipulate DNS response data, ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • Pix to ASA migration
    ... I think that when I was configuring the policy map for the IPS that I may have over written the default inspection policy map (fixup dns, fixup skinny, etc). ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)