[ale] Duplicate DNS?
Fletch
fletch at phydeaux.org
Fri Nov 17 21:02:35 EST 2000
>>>>> "Robert" == Robert L Harris <Robert.L.Harris at rnd-consulting.com> writes:
Robert> I have a fun DNS one for someone. Can you have DNS give a
Robert> different answer depending no source IP/Net? For my
Robert> internal net, all my boxes ahve a 192.68.0 address. A
Robert> couple boxes have eth0:1 type aliases and are on the 'net.
Robert> I'd like any dns lookups from inside to give the 192
Robert> address and the outside to get the actual address, but not
Robert> the 192 address. I don't want to set up 2 different pairs
Robert> of DNS servers for my 6 boxes.
One possibility might be to run two copies of bind on two
different ports (other than the real DNS port 53) and then use
ipchains to redirect traffic on port 53 to the corresponding port for
that side. Something along the lines of (assuming inside named is
listening on port 1053, outside on 1054, and you've got a kernel
compiled to allow REDIRECT to work):
ipchains --new named
ipchains --append input --proto udp --dport 53 --jump named
ipchains --append input --proto tcp --dport 53 --jump named
ipchains --append named --proto udp --source 192.68.0/24 --dport 53 \
--jump REDIRECT 1053
ipchains --append named --proto udp --source 0/0 --dport 53 \
--jump REDIRECT 1054
ipchains --append named --proto tcp --source 192.68.0/24 --dport 53 \
--jump REDIRECT 1053
ipchains --append named --proto tcp --source 0/0 --dport 53 \
--jump REDIRECT 1054
Adding rules so that outside traffic can't get to 1053 is left
as an exercise for the truly paranoid reader.
--
Fletch | "If you find my answers frightening, __`'/|
fletch at phydeaux.org | Vincent, you should cease askin' \ o.O'
770 933-0600 x211(w) | scary questions." -- Jules =(___)=
| U
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list