Use iptables to implement dynamic dns servers

This document describes the configuration process. 1. The core idea of configuring a dynamic DNS server is to run multiple binds on the DNS server. each BIND provides resolution for users from different regions, therefore, each BIND should have different configuration files and domain files, and listen on different ports respectively. When receiving a DNS request from the client, this article describes the configuration process based on the customer's IP address.

1. core ideas
The core idea of configuring a dynamic DNS server is to run multiple binds on the DNS server. each BIND provides resolution for users from different regions, therefore, each BIND should have different configuration files and domain files, and listen on different ports respectively. When a client DNS request is received, the request is redirected to different BIND service ports based on the customer's IP address. When the BIND responds, rewrite the service port of the corresponding package to the standard port 53. In this way, different resolution results can be returned to the client based on the client IP address. The entire process is transparent to the client. The key to implementation is to run different binds and use IPtables to rewrite IP addresses and ports.

2. configuration process
. To configure the kernel netfilter, the kernel version must be no lower than 2.3.5. when compiling a new kernel, you must select a project related to netfilter. These items are usually located under the "Networkingoptions" subitem. Taking the 2.4.0 kernel as an example, we should select the following items:
[*] Kernel/User netlink socket
[] Routing messages
<*> Netlink device emulation
[*] Network packet filtering (replaces ipchains)
Then, in "IP: Netfilter Configuration ---->", Select:
Connection tracking (required for masq/NAT)
FTP protocol support
IP tables support (required for filtering/masq/NAT)
Limit match support
MAC address match support
Netfilter MARK match support
Multiple port match support
TOS match support
Connection state match support
Packet filtering
REJECT target support
Full NAT
MASQUERADE target support
REDIRECT target support
Packet mangling
TOS target support
MARK target support
LOG target support
Ipchains (2.2-style) support
Ipfwadm (2.0-style) support
The last two items can be deselected, but if you miss IPchains or IPfwadm, you can also select it to use IPchians or IPfwadm in the 2.4 kernel. However, you must note that IPtables is consistent with IPchians/IPfwadm. IPchains/IPfwadm cannot be used simultaneously when IPtables is used. After compilation, these module files are located in/lib/modules/2.4.0/kernel/net/ipv
4/netfilter
When compiling the new kernel of 2.4.0, you should also select the correct CPU option corresponding to your CPU in "Processor type andfeatures". Otherwise, the new kernel may not work properly.

2. configure the BIND service
The default BIND service listening is on port 53. we can configure BIND to run on different IP addresses and ports. It is not complicated to implement this. assume that the IP address of our DNS server is 211.163.76.1, and we want to distinguish CERNET and non-CERNET customers. in this case, we must run two binds and use different configuration files. You can use listen-on in the BIND configuration file that uses a non-standard listening port to specify the port on which the BIND listens. for example:
Options {
Listen-on port 54 {211.163.76.1 ;}
Directory "/var/named_cernet ";
};
You can use the-c option of named to specify named to read different configuration files, for example:
/Usr/sbin/named-u named-c/etc/named_cernet.conf

2. 3. configure redirection rules
Assume that the listening BIND server on the standard port provides DNS resolution for non-CERNET customers, and the listening BIND server on port 54 provides DNS resolution for the CERNET server, we can create the following rule script:
#! /Bin/bash
# Enable port forwarding
Echo 1>/proc/sys/net/ipv4/ip_forward
# Loading related kernel modules
/Sbin/modprobe iptable_filter
/Sbin/modprobe ip_tables
/Sbin/modprobe Iptables_ Nat
# Refresh all rules
/Sbin/iptables-t nat-F
# Add a DNS request forwarding rule from CERNET to forward it to the local port 54,
# The CERNET address list can be obtained from www.nic.edu.cn/rs/ipstat/
/Sbin/iptables-t nat-a prerouting-p udp
-S 163.105.0.0/16
-- Dport 53-I eth0-j REDIRECT 54
/Sbin/iptables-t nat-a prerouting-p tcp
-S 163.105.0.0/16
-- Dport 53-I eth0-j REDIRECT 54
/Sbin/iptables-t nat-a prerouting-p udp
-S 166.111.0.0/16
-- Dport 53-I eth0-j REDIRECT 54
/Sbin/iptables-t nat-a prerouting-p tcp
-S 166.111.0.0/16
-- Dport 53-I eth0-j REDIRECT 54
/Sbin/iptables-t nat-a prerouting-p udp
-S 202.4.128.0/19
-- Dport 53-I eth0-j REDIRECT 54
/Sbin/iptables-t nat-a prerouting-p tcp
-S 202.4.128.0/19
-- Dport 53-I eth0-j REDIRECT 54
/Sbin/iptables-t nat-a prerouting-p udp
-S 202.112.0.0/15
-- Dport 53-I eth0-j REDIRECT 54
/Sbin/iptables-t nat-a prerouting-p tcp
-S 202.112.0.0/15
-- Dport 53-I eth0-j REDIRECT 54
...
# Disguise the source port (Port 54) returned to the cernet dns client data packet as Port 53
/Sbin/iptables-t nat-a postrouting-p udp
-- Sport 54-o eth0-j SNAT -- to 211.163.76.1: 53
/Sbin/iptables-t nat-a postrouting-p tcp
-- Sport 54-o eth0-j SNAT -- to 211.163.76.1: 53
You can download the script and change the DNS_IP and CNET_PORT parameters in the script to your own DNS server address and listening port.

2. 4. run dynamic DNS
After the configuration is complete, we start the DNS server and run the corresponding rule script, so that our dynamic DNS server can work normally.