How to configure a dynamic DNS server for an IPtables Application

Source: Internet
Author: User
Tags ftp protocol

Summary

This article describes how to configure a dynamic DNS server using IPtables.

1. Core Ideas

The core idea of configuring a dynamic DNS server is to run multiple binds on the DNS server. Each BIND provides resolution for users from different regions, therefore, each BIND should have different configuration files and domain files, and listen on different ports respectively. When a client DNS request is received, the request is redirected to different BIND Service ports based on the customer's IP address.

When the BIND responds, rewrite the service port of the corresponding package to the standard port 53. In this way, different resolution results can be returned to the client based on the Client IP address. The entire process is transparent to the client. The key to implementation is to run different binds and use IPtables to rewrite IP addresses and ports.

2. configuration process

2. 1. Configure the kernel

Netfilter requires that the kernel version be no less than 2.3.5. When compiling a new kernel, You must select a project related to netfilter. These items are usually located under the "Networking options" subitem. Taking the 2.4.0 kernel as an example, we should select the following items:

 
  [*] Kernel/User netlink socket   [ ] Routing messages   <*> Netlink device emulation   [*] Network packet filtering (replaces ipchains)
 

Then, in "IP: Netfilter Configuration ---->", select:

 
  <M> Connection tracking (required for masq/NAT)   <M> FTP protocol support  <M> IP tables support (required for filtering/masq/NAT)  <M> limit match support   <M> MAC address match support   <M> Netfilter MARK match support   <M> Multiple port match support   <M> TOS match support   <M> Connection state match support   <M> Packet filtering  <M> REJECT target support  <M> Full NAT   <M> MASQUERADE target support   <M> REDIRECT target support   <M> Packet mangling   <M> TOS target support   <M> MARK target support   <M> LOG target support  <M> ipchains (2.2-style) support  <M> ipfwadm (2.0-style) support
 

The last two items can be deselected, but if you miss IPchains or IPfwadm, you can also select it to use IPchians or IPfwadm in the 2.4 kernel. However, you must note that IPtables is consistent with IPchians/IPfwadm. IPchains/IPfwadm cannot be used simultaneously when IPtables is used. After compilation, these module files are located in/lib/modules/2.4.0/kernel/net/ipv

4/netfilter

When compiling the new kernel of 2.4.0, you should also select the correct CPU option corresponding to your CPU in "Processor type and features". Otherwise, the new kernel may not work properly.

2. Configure the BIND Service

The default BIND Service Listening is on port 53. We can configure BIND to run on different IP addresses and ports. It is not complicated to implement this. Assume that the IP address of our DNS server is 211.163.76.1, and we want to distinguish CERNET and non-CERNET customers. In this case, we must run two binds and use different configuration files. You can use listen-on in the BIND configuration file that uses a non-standard listening port to specify the port on which the BIND listens. For example:

 
  options {  listen-on port 54 {211.163.76.1;}  directory "/var/named_cernet";   };
 

You can use the-c option of named to specify named to read different configuration files, for example:

 
  /usr/sbin/named -u named -c /etc/named_cernet.conf
 

2. 3. Configure redirection rules

Assume that the listening BIND server on the standard port provides DNS resolution for non-CERNET customers, and the listening BIND server on port 54 provides DNS resolution for the CERNET server, we can create the following rule script:

 
  
#! /Bin/bash # enable port forwarding echo 1>/proc/sys/net/ipv4/ip_forward # load the relevant kernel module/sbin/modprobe iptable_filter/sbin/modprobe ip_tables/sbin/ modprobe iptables_nat # refresh all rules/sbin/iptables-t nat-F
 

# Add a DNS request forwarding rule from CERNET to forward it to the local port 54,

# The CERNET address list can be obtained from www.nic.edu.cn/rs/ipstat/

 
  /sbin/iptables -t nat -A PREROUTING -p udp -s 163.105.0.0/16--dport 53 -i eth0 -j REDIRECT 54   /sbin/iptables -t nat -A PREROUTING -p tcp   -s 163.105.0.0/16     --dport 53 -i eth0 -j REDIRECT 54  /sbin/iptables -t nat -A PREROUTING -p udp   -s 166.111.0.0/16     --dport 53 -i eth0 -j REDIRECT 54   /sbin/iptables -t nat -A PREROUTING -p tcp   -s 166.111.0.0/16     --dport 53 -i eth0 -j REDIRECT 54  /sbin/iptables -t nat -A PREROUTING -p udp   -s 202.4.128.0/19     --dport 53 -i eth0 -j REDIRECT 54   /sbin/iptables -t nat -A PREROUTING -p tcp   -s 202.4.128.0/19     --dport 53 -i eth0 -j REDIRECT 54  /sbin/iptables -t nat -A PREROUTING -p udp   -s 202.112.0.0/15     --dport 53 -i eth0 -j REDIRECT 54   /sbin/iptables -t nat -A PREROUTING -p tcp   -s 202.112.0.0/15     --dport 53 -i eth0 -j REDIRECT 54  …
 

# Disguise the source port (Port 54) returned to the cernet dns client data packet as port 53

 
  /sbin/iptables -t nat -A POSTROUTING -p udp--sport 54 -o eth0 -j SNAT --to 211.163.76.1:53/sbin/iptables -t nat -A POSTROUTING -p tcp--sport 54 -o eth0 -j SNAT --to 211.163.76.1:53
 

You can download the script and change the DNS_IP and CNET_PORT parameters in the script to your own DNS server address and listening port.

2. 4. Run Dynamic DNS

After the configuration is complete, we start the DNS server and run the corresponding rule script, so that our dynamic DNS server can work normally.
Article entry: csh responsible editor: csh

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.