Re: Netfilter and Dynamic DNS

Fri, 29 Mar 2002 23:45:27 -0800 

On Fri, Mar 29, 2002 at 11:37:55PM -0600, Mark Rinaudo (rr) wrote:
> I was wondering if anyone has seen an extension to netfilter to allow 
> the use of dynamic dns names as sources in the filter table.

There is none right now.

> This would allow people with dynamic dns to be ACCEPT ed or DENY ed in 
> with a rule that would periodically
> update its self as the client changed ip addresses.

Yes. That would be possible. It would also be probably vetoed on the basis
of putting a DNS resolver into the kernel. It does not belong there.

Some time ago, I suggested a solution where a user level process
does the DNS lookups periodically, and tells the kernel if things
change. I can provide the kernel part for that to work. To date,
nobody has stepped up and said he'd do the userlevel part. I won't,
and I won't start on the kernel part before I see the userlevel thing.

> I'm not sure if there is any security risk with this

There is. Your ruleset now relies on information dynamically modified
from an external source. That external source is now a "configuration knob"
for your firewall, lessening its security.

> or not but I sure could use something like this and would be interested
> in attempting an extension to do it IF someone else isn't already working
> on this idea.

Good to hear. Here's roughly what I want you to do:

        - write a user level daemon
        - have it read a config file which lists one DNS name per line,
          or something like that
        - have it query DNS for those names, and re-query according to
          the TTL of the replies
        - the DNS reply will, in general, consist of a list of A records.
          Let's imagine you put the addresses into an array of 32 bit
          addresses, array called dns_addr[], with the number of entries
          in nr_dns_addr.
        - call a function like this when you have made a lookup and got
          some results:
                set_dns_pool("www.something.com", nr_dns_addr, dns_addr);
        - in iptables rules, use
                iptables -A FORWARD -m pool --srcpool www.something.com -j BLA

I can provide you with a working set_dns_pool() function and kernel part,
if you give me the user level stuff.

Deal?

best regards
  Patrick

Reply via email to