Hi there,

On Sat, Feb 07, 2004 at 01:46:46PM -0500, Louis LeBlanc wrote:
> That is to say it will accept DNS requests from local agents, filter
> out IPV6 request packets, and forward IPV4 requests to our backend DNS
> server in a way that the backend server will believe it has received
> them directly from the local server and send the response directly
> back to the local DNS agent, not the filter/forwarder.
> As I understand things, this will mean rewriting the outgoing IP
> header, UDP header (TCP support is not needed), so that they each
> contain the address of the local agent as the sender IP, and leaving
> the DNS header unchanged.  Or better yet, simply forwarding the entire
> IP packet unchanged so that even the IP identification field is
> intact.

> The DNS header is easy enough, since that's in the application layer,
> but I'm having trouble finding out how to rewrite the transport and
> network layer headers, or to simply forward the whole packet.

You might be able to do this with one of the various firewalls already.
Perhaps check out ipfilter and pf.

If using ipfw you can divert all DNS traffic to a divert(4) socket
which you can then connect to your DNS application.
If the application likes what it sees it can send the packet back
via divert for forwarding to the real DNS target - no modifications
If the DNS packet doesnt meet the specs, it can be dropped.

Another possibiliy might be a netgraph module, although netgraph
seems typically more suited to layer2 type applications.

Hope it helps,


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to