Re: [maybe OT] IP/UDP/DNS packet manipulation question

2004-02-08 Thread Tony Frank 
Hi there,

On Sat, Feb 07, 2004 at 01:46:46PM -0500, Louis LeBlanc wrote:
 That is to say it will accept DNS requests from local agents, filter
 out IPV6 request packets, and forward IPV4 requests to our backend DNS
 server in a way that the backend server will believe it has received
 them directly from the local server and send the response directly
 back to the local DNS agent, not the filter/forwarder.
 
 As I understand things, this will mean rewriting the outgoing IP
 header, UDP header (TCP support is not needed), so that they each
 contain the address of the local agent as the sender IP, and leaving
 the DNS header unchanged.  Or better yet, simply forwarding the entire
 IP packet unchanged so that even the IP identification field is
 intact.

 The DNS header is easy enough, since that's in the application layer,
 but I'm having trouble finding out how to rewrite the transport and
 network layer headers, or to simply forward the whole packet.

You might be able to do this with one of the various firewalls already.
Perhaps check out ipfilter and pf.

If using ipfw you can divert all DNS traffic to a divert(4) socket
which you can then connect to your DNS application.
If the application likes what it sees it can send the packet back
via divert for forwarding to the real DNS target - no modifications
necessary.
If the DNS packet doesnt meet the specs, it can be dropped.

Another possibiliy might be a netgraph module, although netgraph
seems typically more suited to layer2 type applications.

Hope it helps,

Tony

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

[maybe OT] IP/UDP/DNS packet manipulation question

2004-02-07 Thread Louis LeBlanc 
I know this might be a pretty technical question for this list, but
this is the one I'm subscribed to, so please bear with me.

I have a project that requires some creative network development.  I'm
to come up with a DNS based daemon that performs filtering and
forwarding of DNS request packets, but doesn't actually proxy them.
The platform is to be FreeBSD, otherwise I wouldn't bother anyone
here.

That is to say it will accept DNS requests from local agents, filter
out IPV6 request packets, and forward IPV4 requests to our backend DNS
server in a way that the backend server will believe it has received
them directly from the local server and send the response directly
back to the local DNS agent, not the filter/forwarder.

As I understand things, this will mean rewriting the outgoing IP
header, UDP header (TCP support is not needed), so that they each
contain the address of the local agent as the sender IP, and leaving
the DNS header unchanged.  Or better yet, simply forwarding the entire
IP packet unchanged so that even the IP identification field is
intact.

The DNS header is easy enough, since that's in the application layer,
but I'm having trouble finding out how to rewrite the transport and
network layer headers, or to simply forward the whole packet.

There is an excellent proxy in the ports, dnsproxy by Armin
Wolfermann, but this actually handles the responses itself, which I
want to avoid.

I've been through the Stevens books, and no hint on how to do any of
this.  I thought I could simply bind the socket to the address in
question, but according to the bind(2) manpage, that would return a
EADDRNOTAVAIL error.

I've also been through the ports/dns/ and ports/net/ ports, and it
doesn't look like there's anything to perform IP/UDP forwarding.

Can anyone shed some light here, or maybe tell me where I can find the
relevant info to help with this?  Is rewriting these headers even
necessary if the DNS packet can be sent unaltered?  Is multilayer
source address comparison a standard security check?

Thanks

Lou
-- 
Louis LeBlanc   [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ

hacker, n.:
  A master byter.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]