LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-11-2014, 03:56 AM   #1
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Rep: Reputation: Disabled
Direct specific client to specific server via DNS !!


Can i direct specific client (1.2.3.4) to specific server (192.168.X.X) ?

Suppose, a client request to DNS server for test.files.com and DNS server checks the ip of client is 1.2.3.4 and direct his request to test.files.com against the server ip (192.168.10.20) and another client sends the same request against test.files.com and his ip is 10.1.1.1 and DNS server checks the ip of client is 10.1.1.1 and direct this request to test.files.com against the server 192.168.10.30.

Regards.
Shahzaib
 
Old 06-11-2014, 04:26 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
you've not said anything about the DNS solution you're using, but presuming it's BIND, you can use match-clients in a view definition to achieve this. http://www.howtoforge.com/two_in_one_dns_bind9_views
 
Old 06-11-2014, 04:29 AM   #3
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Thanks for reply chris, yes its bind.
 
Old 06-11-2014, 04:33 AM   #4
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,166

Rep: Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751
As an alternative you could point test.files.com to 192.168.10.30 and then use something like haproxy to check the source IP of the client and pass it through to 192.168.10.20.

The method you are suggesting (using DNS) could be vulnerable to something as simple as the user making a hosts file entry to point to 192.168.10.30

Depending of course on the way your network(s) are defined you may have the source IP masked with NAT

Last edited by TenTenths; 06-11-2014 at 04:34 AM.
 
Old 06-11-2014, 05:17 AM   #5
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
>>The method you are suggesting (using DNS) could be vulnerable to something as simple as the user making a hosts file entry to point to 192.168.10.30
Well, we're running a video streaming site and deploying a caching server to cache videos on local ISP end (held in ASIA) to save the bandwidth and direct any traffic from those ISP users towards the local caching server (192.168.10.20). ISP provided us the ip pool of the users for only directing their users towards the caching server and rest should be serve from the main server (locate in U.S).

Say, if someone of the ISP user changed his hosts file to ip 192.168.10.30. What vulnerability could be occurred ?

I am newbie to DNS thing and will really appreciate your help on it.
 
Old 06-11-2014, 05:30 AM   #6
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,166

Rep: Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751Reputation: 751
If you're using this to load-balance and distribute content then the server the user is pulling from wouldn't really cause a vulnerability. If you were hosting different files and wanting to use the client IP as a form of access control then by changing the IP in hosts file they could decide which of the servers to actually pick from.
 
Old 06-11-2014, 08:26 AM   #7
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Thanks for reply and help. I have setup DNS server locally and all requests from 192.168.2.0/24 against test.com are going to specific ip and other requests are going to main ip, just as i wanted. Following is the main named.conf config. Should i need to add something more ?

view "caching" {
match-clients { caching; };
recursion yes;
zone "test.com" {
type master;
file "db.test.com.cache";
};
};
view "external" {
match-clients { any; };
recursion no;
zone "test.com" {
type master;
file "db.test.com.ext";

};
};


acl "caching" {
127.0.0.0/8;
192.168.2.0/24;
};

Last edited by shahzaibcb; 06-11-2014 at 08:56 AM.
 
Old 06-11-2014, 09:18 AM   #8
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,797
Blog Entries: 1

Rep: Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341Reputation: 1341
If you want more information about this, its called 'split-horizon dns' or more simply 'split dns.'

Its a common occurence, and I've seen it (improperly) used in place of BGP at some companies. IE, let the dns server decide what the closest server to you is.
 
Old 06-12-2014, 08:43 AM   #9
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Thanks guys for helping me out. I'll definitely look into it.
 
Old 07-04-2014, 01:29 AM   #10
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Can i include file in acl ? I need to include 1800+ ip prefixes for directing their traffic to specific server. I want to put those prefixes into a file and include it into acl :-

acl "caching" {
127.0.0.0/8;
192.168.2.0/24;
};

Want to do it like below :-

acl "caching" {
inlcude "/etc/prefixes"
};
 
Old 07-04-2014, 03:09 AM   #11
Tim Abracadabra
Member
 
Registered: May 2014
Location: USA, Wherever I may Roam
Distribution: Debian w/Xfce, LFS 7.9, ++
Posts: 117

Rep: Reputation: Disabled
Hi Shahzaib,

Quote:
Originally Posted by shahzaibcb View Post
Can i include file in acl ? I need to include 1800+ ip prefixes for directing their traffic to specific server. I want to put those prefixes into a file and include it into acl :-

acl "caching" {
127.0.0.0/8;
192.168.2.0/24;
};

Want to do it like below :-

acl "caching" {
inlcude "/etc/prefixes"
};
You almost have it! (Note: I have not tested this but it should be close so,
Take with a grain of salt )

You can try:
Add to the file you show above (named.conf maybe?) this line where you want to include the acl:
include "/etc/bind/named.conf.authdnscache";

Name the file as you wish, I just chose named.conf.authdnscache as it seemed appropriate.

Then create the file in /etc/bind
touch /etc/bind/named.conf.authdnscache
(Adjust as appropriate and desired)

Edit (vi, vim, nano, ... )the named.conf.authdnscache file and at the top lines enter:

acl caching {

129.79.247.111;
129.79.247.120;

};


The IP addresses shown above 129.79.247.111 and 129.79.247.120 are for an example only.
In between the curly braces list the IP addresses you need separated by semi-colons.
Don't forget the ending curly brace and semi-colon.


Hope that helps,

Tim
 
1 members found this post helpful.
Old 07-04-2014, 05:29 PM   #12
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
thanks, that helped what i did is, created another file and assigned acl{caching} there, then included it into the named.conf just like you advised, after i created another acl{tw} in named.conf and included caching acl into tw. Following is the method :-

named.conf :-

include "/var/named/tw-prefixes";
acl "tw" {
caching;
};

/var/named/tw-prefixes :-

acl caching {
127.0.0.0/8;
1.2.1.2/8;
};

Thanks a lot @Tim :-)
 
Old 07-05-2014, 03:05 AM   #13
Tim Abracadabra
Member
 
Registered: May 2014
Location: USA, Wherever I may Roam
Distribution: Debian w/Xfce, LFS 7.9, ++
Posts: 117

Rep: Reputation: Disabled
Hi Shahzaib,

Glad you got the include of the external bind access control list to work.
Also, Thank you for posting your solution.
That is much appreciated and may help others.
Well done!

BTW - If the issue is resolved to your satisfaction,
could you please mark this thread as solved?

All the best,
Tim Abracadabra

Last edited by Tim Abracadabra; 07-05-2014 at 03:27 AM. Reason: Add request to mark solved
 
Old 07-07-2014, 05:09 PM   #14
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Our ISP provided us with 2200+ ip prefixes in order to route any request coming from these ips for mydomain.com towards the local caching server (located in ISP). We're going to implement this routing using View clause of named DNS server. For testing purposes, i had created an internal acl { 1.2.3.4/24;} in order to route any request coming for mydomain.com from 1.2.3.4 towards the specific server. Now, if i ping to mydomain.com from my public modem's ip 1.2.3.4, instead of routing this ip towards the internal acl {} ,reply is coming from the external acl {} and When i checked the named logs i could see that the ip querying to the named was different instead of 1.2.3.4, due to which the reply is coming from external view. Is that the default behavior of named ? Why the client ip is not directly hitting our DNS server ? Can bind get the real ip of client ? How can i achieve this routing goal to direct specific client ip to specific server ? Help is highly required.

Last edited by shahzaibcb; 07-11-2014 at 09:04 AM.
 
Old 07-12-2014, 02:56 AM   #15
shahzaibcb
LQ Newbie
 
Registered: Dec 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
I am getting the strange behaviour of bind here. Following is the main config regarding caching{} and external{} views.

[root@DNTX056 named]# cat /var/named/tw-prefixes
acl caching {
74.25.0.0/16;
};

/etc/named.conf :-

view "TW" {
match-clients { caching; };
allow-query { caching; };
zone "files.com" {
type master;
file "tw.com.db";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

zone "gear.com" {
type master;

file "gear.com.tw";
};
};

view "external" {
match-clients { any;};
zone "files.com" {
type master;
file "files.com.db";
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

zone "gear.com" {
type master;
file "gear.com.db";
};
};

include "/var/named/tw-prefixes";


Now when the client queries against the domain lw.gear.com. Named logs first show the ip 74.125.17.85 (Internal ACL ip) of the client and display TW view, then immediately it shows the ip 137.39.110.236 and displays the View external and i get the reply back with the external zone ip instead of TW zone. Please check the logs below :-

12-Jul-2014 11:43:26.848 queries: info: client 74.125.17.82#41818: view TW: query: lw.gear.com IN A -ED (82.192.87.87)
12-Jul-2014 11:43:26.884 queries: info: client 74.125.17.85#53102: view TW: query: lw.gear.com IN A -ED (82.192.87.87)
12-Jul-2014 11:43:26.921 queries: info: client 74.125.17.85#41739: view TW: query: lw.gear.com IN A - (82.192.87.87)
12-Jul-2014 11:43:27.238 queries: info: client 137.39.110.236#25599: view external: query: lw.gear.com IN A -ED (82.192.87.87)

Why named falling back to the external view when the query is already available on the TW view ?

I am scratching my head for last 24hours.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Source Specific Multicast - client leaves the group but server still sends datagram firsten Programming 2 08-20-2013 02:36 PM
[SOLVED] DHCP server configuration allowing and blocking DNS for its specific clients rohitchauhan Linux - Server 4 02-28-2013 12:33 AM
troubleshooting: connection blocked, but only for 1 specific client and 1 specific NIC arri Linux - Networking 3 10-18-2011 12:31 PM
Blocking Specific webpage not the whole domain For all DNS client.. sjangra Linux - Newbie 2 01-04-2011 08:23 AM
NFS - How can I direct traffic to a specific nic? gislil Linux - Networking 2 10-25-2006 05:59 AM


All times are GMT -5. The time now is 04:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration