Linux iptables firewall hijacking and intercepting DNS query 53 port implementation steering

Enterprise intranet often have such a demand, For example, the IP address of the Business Server is 192.168.6.25, we are accustomed to visit this address, Yun-dimensional is also very kind of a domain name resolution to this IP address, so that we do not have to remember the cumbersome IP address, at the same time the operation of the dimension is also very convenient to the business Server by the 192.168.6.25 host migration to 192.1 68.6.26 host without notifying the client to change the address, this is also the role of domain name play, well, now the problem comes:-)

Customers say that our business is very small, do not want to buy another domain name, OK, more than 50 dollars a year is also a fee, and the purchase of domain names need someone to maintain, such as to remember the renewal of something, a little trouble. It is also felt that it is not safe to advertise intranet addresses on the Internet.

After my enquiry, I learned that the enterprise has a self-built DNS server, to provide DNS query for the whole network, then this thing is much better, the DNS server software hard binding the specified domain name to the IP address record (because it is our own DNS server, where the domain name can be set arbitrarily, Of course, it is best to set the domain name address not available on the public network to avoid conflicts.

For DNSMASQ, directly under the/ETC/DNSMASQ.D path to create a conf file, such as server.conf, the contents are as follows:

The code is as follows	Copy Code
address=/business.server/192.168.6.25

Here Business.server for our arbitrary set of domain names, and 192.168.6.25 to point to the IP address.

Because here LAN Internet routing DHCP automatically assigned DNS server for our intranet server, so for automatic access to IP and DNS clients do not need us to worry about, but the problem is far from resolved, if someone has assigned a DNS server?

Well, the operators don't want a single one to notify the user to modify the DNS server for the specified intranet server, but through the powerful iptables we can hijack all DNS queries of the user without knowing it.

Of course, the iptables is set on the route (where the LAN route is a small server running Linux), and it is well known that DNS uses 53 ports and is transmitted via TCP or UDP protocol, Then we need to hijack the two protocols to transport the query traffic through port 53 to our assigned DNS server.

The code is as follows	Copy Code
Iptables-t nat-a prerouting-i ethx-p UDP--dport 53-j dnat--to $ (Get lan_ipaddr) Iptables-t nat-a prerouting-i ethx-p tcp--dport 53-j dnat--to $ (Get lan_ipaddr)

Here ethx is the LAN port of LAN, and $ (get lan_ipaddr) indicates our own DNS server (typically in intranet), for example, our LAN port is eth1, and the DNS server is located at 192.168.6.10, the above rules are changed to:

The code is as follows	Copy Code
Iptables-t nat-a prerouting-i eth1-p UDP--dport 53-j dnat--to 192.168.6.10 Iptables-t nat-a prerouting-i eth1-p tcp--dport 53-j dnat--to 192.168.6.10

All right, here's what I'm going to introduce. But this method has a premise is in the LAN, all traffic must go to the router, that is, this router for gateway routing (all traffic import and export), otherwise this method is invalid, but for special circumstances can consider to take a similar way of DNS poisoning, I have not tried, This is not the introduction. There are still problems with this approach, applying the above firewall rules will cause all UDP or TCP data traffic destined for port 53 to be intercepted, and if an extranet server 53 port is used for other purposes it will be abnormal and, to some extent, the burden of a self-built DNS server, if the server crashes, All DNS resolutions will be invalidated.

Of course, I said today, this technique also has an application scenario, such as in the network environment is bad, DNS is attacked or poisoned, since the establishment of the server can be a variety of means to avoid these security problems, so for the LAN Security, transfer DNS query traffic is necessary.