Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Feb 2004 13:46:46 -0500
From:      Louis LeBlanc <freebsd@keyslapper.org>
To:        FreeBSD Questions <freebsd-questions@FreeBSD.org>
Subject:   [maybe OT] IP/UDP/DNS packet manipulation question
Message-ID:  <20040207184646.GA86056@keyslapper.org>

next in thread | raw e-mail | index | archive | help
I know this might be a pretty technical question for this list, but
this is the one I'm subscribed to, so please bear with me.

I have a project that requires some creative network development.  I'm
to come up with a DNS based daemon that performs filtering and
forwarding of DNS request packets, but doesn't actually proxy them.
The platform is to be FreeBSD, otherwise I wouldn't bother anyone
here.

That is to say it will accept DNS requests from local agents, filter
out IPV6 request packets, and forward IPV4 requests to our backend DNS
server in a way that the backend server will believe it has received
them directly from the local server and send the response directly
back to the local DNS agent, not the filter/forwarder.

As I understand things, this will mean rewriting the outgoing IP
header, UDP header (TCP support is not needed), so that they each
contain the address of the local agent as the sender IP, and leaving
the DNS header unchanged.  Or better yet, simply forwarding the entire
IP packet unchanged so that even the IP identification field is
intact.

The DNS header is easy enough, since that's in the application layer,
but I'm having trouble finding out how to rewrite the transport and
network layer headers, or to simply forward the whole packet.

There is an excellent proxy in the ports, dnsproxy by Armin
Wolfermann, but this actually handles the responses itself, which I
want to avoid.

I've been through the Stevens books, and no hint on how to do any of
this.  I thought I could simply bind the socket to the address in
question, but according to the bind(2) manpage, that would return a
EADDRNOTAVAIL error.

I've also been through the ports/dns/ and ports/net/ ports, and it
doesn't look like there's anything to perform IP/UDP forwarding.

Can anyone shed some light here, or maybe tell me where I can find the
relevant info to help with this?  Is rewriting these headers even
necessary if the DNS packet can be sent unaltered?  Is multilayer
source address comparison a standard security check?

Thanks

Lou
-- 
Louis LeBlanc               leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     ԿԬ

hacker, n.:
  A master byter.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040207184646.GA86056>