Re: DNS Manipulation

["Jason Muskat, GCFA, GCUX, de VE3TSJ" <Jason () TechDude Ca>]

Hello,

The only identity that can be used is IP address. If the addresses you want
to respond differently to appear the same as IP address that are mainstream
then you are out of luck.

That said, one could use Netfilter to not NAT port 53 traffic, add routes
respectively, and create a view in BIND; however, for only an handful of
systems one would be better off modifying the hosts file.

Regards,

-- 
Jason Muskat  | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/


> From: Dan Bogda <dan.bogda () kintera com>
> Date: Thu, 2 Nov 2006 21:24:34 -0800
> To: <security-basics () lists securityfocus com>
> Conversation: DNS Manipulation
> Subject: DNS Manipulation
> Resent-From: <security-basics-return-41695 () securityfocus com>
> Resent-Date: Fri,  3 Nov 2006 11:17:27 -0700 (MST)
>
> Guys,
> I have segmented security zones that need to access the same devices,
> but via different NAT addresses. I am looking to manipulate the DNS
> responses from my BIND server and ideally I only want to affect DNS
> responses that contain the handful of addresses I am NAT'ing. I first
> started building this out with multiple views within BIND with a script
> to do conversion from the external to internal view, based on my list of
> NAT'd IPs, but as time progresses this doesn't seem too scalable. I am
> also unable to do the conversion on my firewalls due to the placement of
> the NAT operation.
>
> Ideally, I need a solution I can implement on my DNS server and I can
> control with access-lists or source filtering. I had considered running
> multiple instances of BIND, bound to separate IPs/Ports, but I would
> prefer to find a simpler solution if I can. I thought there was an
> IPTables module I can load to manipulate DNS response data, but I
> haven't been able to find any reference of it yet.
>
> Here's where I need your help:
>
> 1. Does a DNS, binary or other module exist for IPTables to manipulate
> DNS response data?
>
> 2. Has anyone done something similar and would like to share their
> solution?
>
> 3. Does anyone have any other suggestions, approaches I haven't
> considered?
>
>
> Thanks in advance!
> Dan
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------