DNS Manipulation via IPTables or other means?

> Guys,
> Sorry to cross post, but I'm looking to see if an IPTables solution
> exists for NATing DNS responses? I thought I could alter DNS responses
> with IPTables, but I can't find any reference to this. Does this
> functionality exist natively or via a plug in module? Otherwise, does
> anyone have any other suggestions?
>
> I have details of the problem below. I am looking for a network based
> solution so that the hosts don't need to be updated. I only need to
> update a handful of IP addresses and would like to focus there. I am
> currently running multiple views inside of BIND to provide an internal
> and external copy of each zone file, however this is not scalable.
>
> Thanks,
> Dan
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of Dan Bogda
> Sent: Thursday, November 02, 2006 9:25 PM
> To: security-basics@...
> Subject: DNS Manipulation
>
> Guys,
> I have segmented security zones that need to access the same devices,
> but via different NAT addresses. I am looking to manipulate the DNS
> responses from my BIND server and ideally I only want to affect DNS
> responses that contain the handful of addresses I am NAT'ing. I first
> started building this out with multiple views within BIND with a script
> to do conversion from the external to internal view, based on my list of
> NAT'd IPs, but as time progresses this doesn't seem too scalable. I am
> also unable to do the conversion on my firewalls due to the placement of
> the NAT operation.
>
> Ideally, I need a solution I can implement on my DNS server and I can
> control with access-lists or source filtering. I had considered running
> multiple instances of BIND, bound to separate IPs/Ports, but I would
> prefer to find a simpler solution if I can. I thought there was an
> IPTables module I can load to manipulate DNS response data, but I
> haven't been able to find any reference of it yet.
>
> Here's where I need your help:
>
> 1. Does a DNS, binary or other module exist for IPTables to manipulate
> DNS response data?
>
> 2. Has anyone done something similar and would like to share their
> solution?
>
> 3. Does anyone have any other suggestions, approaches I haven't
> considered?
>
>
> Thanks in advance!
> Dan
>
>
> ------------------------------------------------------------------------
> ---
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence
> in Information Security. Our program offers unparalleled Infosec
> management
> education and the case study affords you unmatched consulting
> experience.
> Using interactive e-Learning technology, you can earn this esteemed
> degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ------------------------------------------------------------------------
> ---
>
>

> Guys,
> Sorry to cross post, but I'm looking to see if an IPTables solution
> exists for NATing DNS responses? I thought I could alter DNS responses
> with IPTables, but I can't find any reference to this. Does this
> functionality exist natively or via a plug in module? Otherwise, does
> anyone have any other suggestions?
>
> I have details of the problem below. I am looking for a network based
> solution so that the hosts don't need to be updated. I only need to
> update a handful of IP addresses and would like to focus there. I am
> currently running multiple views inside of BIND to provide an internal
> and external copy of each zone file, however this is not scalable.
>
> Thanks,
> Dan
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of Dan Bogda
> Sent: Thursday, November 02, 2006 9:25 PM
> To: security-basics@...
> Subject: DNS Manipulation
>
> Guys,
> I have segmented security zones that need to access the same devices,
> but via different NAT addresses. I am looking to manipulate the DNS
> responses from my BIND server and ideally I only want to affect DNS
> responses that contain the handful of addresses I am NAT'ing. I first
> started building this out with multiple views within BIND with a script
> to do conversion from the external to internal view, based on my list of
> NAT'd IPs, but as time progresses this doesn't seem too scalable. I am
> also unable to do the conversion on my firewalls due to the placement of
> the NAT operation.
>
> Ideally, I need a solution I can implement on my DNS server and I can
> control with access-lists or source filtering. I had considered running
> multiple instances of BIND, bound to separate IPs/Ports, but I would
> prefer to find a simpler solution if I can. I thought there was an
> IPTables module I can load to manipulate DNS response data, but I
> haven't been able to find any reference of it yet.
>
> Here's where I need your help:
>
> 1. Does a DNS, binary or other module exist for IPTables to manipulate
> DNS response data?
>
> 2. Has anyone done something similar and would like to share their
> solution?
>
> 3. Does anyone have any other suggestions, approaches I haven't
> considered?
>
>
> Thanks in advance!
> Dan
>
>
> ------------------------------------------------------------------------
> ---
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence
> in Information Security. Our program offers unparalleled Infosec
> management
> education and the case study affords you unmatched consulting
> experience.
> Using interactive e-Learning technology, you can earn this esteemed
> degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ------------------------------------------------------------------------
> ---
>
>

> Guys,
> Sorry to cross post, but I'm looking to see if an IPTables solution
> exists for NATing DNS responses? I thought I could alter DNS responses
> with IPTables, but I can't find any reference to this. Does this
> functionality exist natively or via a plug in module? Otherwise, does
> anyone have any other suggestions?
>
> I have details of the problem below. I am looking for a network based
> solution so that the hosts don't need to be updated. I only need to
> update a handful of IP addresses and would like to focus there. I am
> currently running multiple views inside of BIND to provide an internal
> and external copy of each zone file, however this is not scalable.
>
> Thanks,
> Dan
>
>
> -----Original Message-----
> From: listbounce@... [mailto:listbounce@...]
> On Behalf Of Dan Bogda
> Sent: Thursday, November 02, 2006 9:25 PM
> To: security-basics@...
> Subject: DNS Manipulation
>
> Guys,
> I have segmented security zones that need to access the same devices,
> but via different NAT addresses. I am looking to manipulate the DNS
> responses from my BIND server and ideally I only want to affect DNS
> responses that contain the handful of addresses I am NAT'ing. I first
> started building this out with multiple views within BIND with a script
> to do conversion from the external to internal view, based on my list of
> NAT'd IPs, but as time progresses this doesn't seem too scalable. I am
> also unable to do the conversion on my firewalls due to the placement of
> the NAT operation.
>
> Ideally, I need a solution I can implement on my DNS server and I can
> control with access-lists or source filtering. I had considered running
> multiple instances of BIND, bound to separate IPs/Ports, but I would
> prefer to find a simpler solution if I can. I thought there was an
> IPTables module I can load to manipulate DNS response data, but I
> haven't been able to find any reference of it yet.
>
> Here's where I need your help:
>
> 1. Does a DNS, binary or other module exist for IPTables to manipulate
> DNS response data?
>
> 2. Has anyone done something similar and would like to share their
> solution?
>
> 3. Does anyone have any other suggestions, approaches I haven't
> considered?
>
>
> Thanks in advance!
> Dan
>
>
> ------------------------------------------------------------------------
> ---
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence
> in Information Security. Our program offers unparalleled Infosec
> management
> education and the case study affords you unmatched consulting
> experience.
> Using interactive e-Learning technology, you can earn this esteemed
> degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ------------------------------------------------------------------------
> ---
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>

> Hmm.  Not sure about iptables.  I nwhat way is BIND not scalable --
> have you tried
> djbdns ? it has a similar feature that allows for wildcarding and
> catchalls -- its also much more
> secure than BIND
>
> On 11/6/06, Dan Bogda <dan.bogda@...> wrote:
>> Guys,
>> Sorry to cross post, but I'm looking to see if an IPTables solution
>> exists for NATing DNS responses? I thought I could alter DNS responses
>> with IPTables, but I can't find any reference to this. Does this
>> functionality exist natively or via a plug in module? Otherwise, does
>> anyone have any other suggestions?
>>
>> I have details of the problem below. I am looking for a network based
>> solution so that the hosts don't need to be updated. I only need to
>> update a handful of IP addresses and would like to focus there. I am
>> currently running multiple views inside of BIND to provide an internal
>> and external copy of each zone file, however this is not scalable.
>>
>> Thanks,
>> Dan
>>
>>
>> -----Original Message-----
>> From: listbounce@... [mailto:listbounce@...]
>> On Behalf Of Dan Bogda
>> Sent: Thursday, November 02, 2006 9:25 PM
>> To: security-basics@...
>> Subject: DNS Manipulation
>>
>> Guys,
>> I have segmented security zones that need to access the same devices,
>> but via different NAT addresses. I am looking to manipulate the DNS
>> responses from my BIND server and ideally I only want to affect DNS
>> responses that contain the handful of addresses I am NAT'ing. I first
>> started building this out with multiple views within BIND with a script
>> to do conversion from the external to internal view, based on my list of
>> NAT'd IPs, but as time progresses this doesn't seem too scalable. I am
>> also unable to do the conversion on my firewalls due to the placement of
>> the NAT operation.
>>
>> Ideally, I need a solution I can implement on my DNS server and I can
>> control with access-lists or source filtering. I had considered running
>> multiple instances of BIND, bound to separate IPs/Ports, but I would
>> prefer to find a simpler solution if I can. I thought there was an
>> IPTables module I can load to manipulate DNS response data, but I
>> haven't been able to find any reference of it yet.
>>
>> Here's where I need your help:
>>
>> 1. Does a DNS, binary or other module exist for IPTables to manipulate
>> DNS response data?
>>
>> 2. Has anyone done something similar and would like to share their
>> solution?
>>
>> 3. Does anyone have any other suggestions, approaches I haven't
>> considered?
>>
>>
>> Thanks in advance!
>> Dan
>>
>>
>> ------------------------------------------------------------------------
>> ---
>> This list is sponsored by: Norwich University
>>
>> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
>> The NSA has designated Norwich University a center of Academic
>> Excellence
>> in Information Security. Our program offers unparalleled Infosec
>> management
>> education and the case study affords you unmatched consulting
>> experience.
>> Using interactive e-Learning technology, you can earn this esteemed
>> degree,
>> without disrupting your career or home life.
>>
>> http://www.msia.norwich.edu/secfocus
>> ------------------------------------------------------------------------
>> ---
>>
>>
>> ---------------------------------------------------------------------------
>>
>> This list is sponsored by: Norwich University
>>
>> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
>> The NSA has designated Norwich University a center of Academic
>> Excellence
>> in Information Security. Our program offers unparalleled Infosec
>> management
>> education and the case study affords you unmatched consulting
>> experience.
>> Using interactive e-Learning technology, you can earn this esteemed
>> degree,
>> without disrupting your career or home life.
>>
>> http://www.msia.norwich.edu/secfocus
>> ---------------------------------------------------------------------------
>>
>>
>>
>
> ---------------------------------------------------------------------------
>
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence in Information Security. Our program offers unparalleled
> Infosec management education and the case study affords you unmatched
> consulting experience. Using interactive e-Learning technology, you
> can earn this esteemed degree, without disrupting your career or home
> life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>

> honestly , I have worked with iptables in really complex
> environments for many years, i never have heard of
> manipulating dns records on the fly, I don't even think you
> can do this with string matching since string matching lets
> you check for a string, not manipulate it.
>
> I really wonder why views aren't scalable, maybe there is
> another solution, I always draw my stuff out on paper (yes
> REAL paper :)) and visualize it that way, then find easier
> solution by looking at the picture. Views in Bind are meant
> for this kind of thing , different access control from
> different ips give you different results. Would you mind
> sharing some more info? maybe the amount of views you are
> handling etc. Maybe someone comes up with a more streamlined idea?