|
Direct specific client to specific server via DNS !!
Can i direct specific client (1.2.3.4) to specific server (192.168.X.X) ?
Suppose, a client request to DNS server for test.files.com and DNS server checks the ip of client is 1.2.3.4 and direct his request to test.files.com against the server ip (192.168.10.20) and another client sends the same request against test.files.com and his ip is 10.1.1.1 and DNS server checks the ip of client is 10.1.1.1 and direct this request to test.files.com against the server 192.168.10.30. Regards. Shahzaib |
you've not said anything about the DNS solution you're using, but presuming it's BIND, you can use match-clients in a view definition to achieve this. http://www.howtoforge.com/two_in_one_dns_bind9_views
|
Thanks for reply chris, yes its bind.
|
As an alternative you could point test.files.com to 192.168.10.30 and then use something like haproxy to check the source IP of the client and pass it through to 192.168.10.20.
The method you are suggesting (using DNS) could be vulnerable to something as simple as the user making a hosts file entry to point to 192.168.10.30 Depending of course on the way your network(s) are defined you may have the source IP masked with NAT :( |
>>The method you are suggesting (using DNS) could be vulnerable to something as simple as the user making a hosts file entry to point to 192.168.10.30
Well, we're running a video streaming site and deploying a caching server to cache videos on local ISP end (held in ASIA) to save the bandwidth and direct any traffic from those ISP users towards the local caching server (192.168.10.20). ISP provided us the ip pool of the users for only directing their users towards the caching server and rest should be serve from the main server (locate in U.S). Say, if someone of the ISP user changed his hosts file to ip 192.168.10.30. What vulnerability could be occurred ? I am newbie to DNS thing and will really appreciate your help on it. |
If you're using this to load-balance and distribute content then the server the user is pulling from wouldn't really cause a vulnerability. If you were hosting different files and wanting to use the client IP as a form of access control then by changing the IP in hosts file they could decide which of the servers to actually pick from.
|
Thanks for reply and help. I have setup DNS server locally and all requests from 192.168.2.0/24 against test.com are going to specific ip and other requests are going to main ip, just as i wanted. Following is the main named.conf config. Should i need to add something more ?
view "caching" { match-clients { caching; }; recursion yes; zone "test.com" { type master; file "db.test.com.cache"; }; }; view "external" { match-clients { any; }; recursion no; zone "test.com" { type master; file "db.test.com.ext"; }; }; acl "caching" { 127.0.0.0/8; 192.168.2.0/24; }; |
If you want more information about this, its called 'split-horizon dns' or more simply 'split dns.'
Its a common occurence, and I've seen it (improperly) used in place of BGP at some companies. IE, let the dns server decide what the closest server to you is. |
Thanks guys for helping me out. I'll definitely look into it.
|
Can i include file in acl ? I need to include 1800+ ip prefixes for directing their traffic to specific server. I want to put those prefixes into a file and include it into acl :-
acl "caching" { 127.0.0.0/8; 192.168.2.0/24; }; Want to do it like below :- acl "caching" { inlcude "/etc/prefixes" }; |
Hi Shahzaib,
Quote:
Take with a grain of salt ;)) You can try: Add to the file you show above (named.conf maybe?) this line where you want to include the acl: include "/etc/bind/named.conf.authdnscache"; Name the file as you wish, I just chose named.conf.authdnscache as it seemed appropriate. Then create the file in /etc/bind touch /etc/bind/named.conf.authdnscache (Adjust as appropriate and desired) Edit (vi, vim, nano, ... )the named.conf.authdnscache file and at the top lines enter: acl caching { 129.79.247.111; 129.79.247.120; }; The IP addresses shown above 129.79.247.111 and 129.79.247.120 are for an example only. In between the curly braces list the IP addresses you need separated by semi-colons. Don't forget the ending curly brace and semi-colon. Hope that helps, Tim |
thanks, that helped what i did is, created another file and assigned acl{caching} there, then included it into the named.conf just like you advised, after i created another acl{tw} in named.conf and included caching acl into tw. Following is the method :-
named.conf :- include "/var/named/tw-prefixes"; acl "tw" { caching; }; /var/named/tw-prefixes :- acl caching { 127.0.0.0/8; 1.2.1.2/8; }; Thanks a lot @Tim :-) |
Hi Shahzaib,
Glad you got the include of the external bind access control list to work. Also, Thank you for posting your solution. That is much appreciated and may help others. Well done! BTW - If the issue is resolved to your satisfaction, could you please mark this thread as solved? All the best, Tim Abracadabra |
Our ISP provided us with 2200+ ip prefixes in order to route any request coming from these ips for mydomain.com towards the local caching server (located in ISP). We're going to implement this routing using View clause of named DNS server. For testing purposes, i had created an internal acl { 1.2.3.4/24;} in order to route any request coming for mydomain.com from 1.2.3.4 towards the specific server. Now, if i ping to mydomain.com from my public modem's ip 1.2.3.4, instead of routing this ip towards the internal acl {} ,reply is coming from the external acl {} and When i checked the named logs i could see that the ip querying to the named was different instead of 1.2.3.4, due to which the reply is coming from external view. Is that the default behavior of named ? Why the client ip is not directly hitting our DNS server ? Can bind get the real ip of client ? How can i achieve this routing goal to direct specific client ip to specific server ? Help is highly required.
|
I am getting the strange behaviour of bind here. Following is the main config regarding caching{} and external{} views.
[root@DNTX056 named]# cat /var/named/tw-prefixes acl caching { 74.25.0.0/16; }; /etc/named.conf :- view "TW" { match-clients { caching; }; allow-query { caching; }; zone "files.com" { type master; file "tw.com.db"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; zone "gear.com" { type master; file "gear.com.tw"; }; }; view "external" { match-clients { any;}; zone "files.com" { type master; file "files.com.db"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; zone "gear.com" { type master; file "gear.com.db"; }; }; include "/var/named/tw-prefixes"; Now when the client queries against the domain lw.gear.com. Named logs first show the ip 74.125.17.85 (Internal ACL ip) of the client and display TW view, then immediately it shows the ip 137.39.110.236 and displays the View external and i get the reply back with the external zone ip instead of TW zone. Please check the logs below :- 12-Jul-2014 11:43:26.848 queries: info: client 74.125.17.82#41818: view TW: query: lw.gear.com IN A -ED (82.192.87.87) 12-Jul-2014 11:43:26.884 queries: info: client 74.125.17.85#53102: view TW: query: lw.gear.com IN A -ED (82.192.87.87) 12-Jul-2014 11:43:26.921 queries: info: client 74.125.17.85#41739: view TW: query: lw.gear.com IN A - (82.192.87.87) 12-Jul-2014 11:43:27.238 queries: info: client 137.39.110.236#25599: view external: query: lw.gear.com IN A -ED (82.192.87.87) Why named falling back to the external view when the query is already available on the TW view ? I am scratching my head for last 24hours. :( |
| All times are GMT -5. The time now is 05:17 AM. |