Guys,
Sorry to cross post, but I'm looking to see if an IPTables solution
exists for NATing DNS responses? I thought I could alter DNS responses
with IPTables, but I can't find any reference to this. Does this
functionality exist natively or via a plug in module? Otherwise, does
anyone have any other suggestions?
I have details of the problem below. I am looking for a network based
solution so that the hosts don't need to be updated. I only need to
update a handful of IP addresses and would like to focus there. I am
currently running multiple views inside of BIND to provide an internal
and external copy of each zone file, however this is not scalable.
Thanks,
Dan
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Dan Bogda
Sent: Thursday, November 02, 2006 9:25 PM
To: security-basics@lists.securityfocus.com
Subject: DNS Manipulation
Guys,
I have segmented security zones that need to access the same devices,
but via different NAT addresses. I am looking to manipulate the DNS
responses from my BIND server and ideally I only want to affect DNS
responses that contain the handful of addresses I am NAT'ing. I first
started building this out with multiple views within BIND with a script
to do conversion from the external to internal view, based on my list of
NAT'd IPs, but as time progresses this doesn't seem too scalable. I am
also unable to do the conversion on my firewalls due to the placement of
the NAT operation.
Ideally, I need a solution I can implement on my DNS server and I can
control with access-lists or source filtering. I had considered running
multiple instances of BIND, bound to separate IPs/Ports, but I would
prefer to find a simpler solution if I can. I thought there was an
IPTables module I can load to manipulate DNS response data, but I
haven't been able to find any reference of it yet.
Here's where I need your help:
1. Does a DNS, binary or other module exist for IPTables to manipulate
DNS response data?
2. Has anyone done something similar and would like to share their
solution?
3. Does anyone have any other suggestions, approaches I haven't
considered?
Thanks in advance!
Dan
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
