Differences between revisions 1 and 2
Revision 1 as of 2002-04-04 18:33:46
Size: 2440
Editor: pw
Comment:
Revision 2 as of 2002-04-05 13:44:47
Size: 3559
Editor: pw
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
{{{On 3 Apr 2002, Adam Shand wrote:
> The only problem I can see with this is that without an uplink to the
On 3 Apr 2002, AdamShand wrote:
{{{> The only problem I can see with this is that without an uplink to the
Line 62: Line 62:

{{{> Hrm, interesting. What the hell does the "." and ".*" mean in the left
> hand column? I assume that the CNAME is the magic ... hrm ... this just
> confuses me. I'll have to just go think about it some more. :)}}}

"." is the "I'm the Top Level Domain". Instead of going out to the "a.root-servers.net" (or whatever root servers you specify), we're saying...dammit...I'm the ROOT server for the Internet.

The "*." is a wildcard, that says, anything you wanna resolve, I'll resolve to me ("." on the RHS), which is the 12.34.56.78 address.

If you had other DNS servers that you also wanted to tie into this config, you would have to configure their named.root file appropriately, like:

{{{. 3600000 IN NS dns.somedomain.net.
dns.somedomain.net. 3600000 A 12.34.56.78}}}

Then, you'd have yourself a nice little containerized environment, where you're spoofing EVERYTHING to be whatever you want (i.e. 12.34.56.78 in this case). Obviously, all clients would have to use the "12.34.56.78" or other appropriately config'd DNS servers as their Resolvers.

ShaneGibson posted this little gem to the mailing list.

On 3 Apr 2002, AdamShand wrote: {{{> The only problem I can see with this is that without an uplink to the > internet so DNS works you'll (and any clients) will have to go directly > to the gateway by IP address in order to get the splash page, otherwise > you'll hang indefinately waiting for the DNS to resolve. > > I've been thinking about twiddling around with a DNS server and seeing > if I can figure out how to get a DNS server to always respond to any DNS > query with it's own IP address for situations like this. > > I think dnsmasq might do it, or otherwise you could probably do it by > replacing the root.cache file in your bind setup but I haven't actually > done it to see what caveats may exist.}}}

We do DNS spoofing in our QA network environment. Since the QA data utilizes production data in it's environment, we don't want stuff leaking out to the outside world on accident. So we insure that all DNS resolution for "real" domains is spoofed by our internal DNS. We also block outbound data via the firewall, but just in case... This is essentially what Adam is talking about above (or one approach to the issue). Here's how we do it. (Note: IPs have been changed to protect the not-so-innocent!)

In your /etc/named.conf

{{{/* named runs chroot'ed to /var/named */ options {

  • pid-file "/named.pid"; directory "/"; // chroot'ed datasize 128m;

};

zone "." {

  • type master; file "loc/root.db";

};

zone "localhost" {

  • type master; file "loc/localhost";

};

zone "0.0.127.in-addr.arpa" {

  • type master; file "loc/127.0.0";

};

zone "56.34.12.in-addr.arpa" {

  • type master; file "loc/56.34.12"; // or whatever your reverse zone is!

};}}}

The important file is root.db and needs to look like this:

{{{$TTL 1h . IN SOA dns.personaltelco.net. root.personaltelco.net. (

  • 2002040400 3h 1h 7d 24h )

. IN NS dns.personaltelco.net.

. IN A 12.34.56.78 . IN MX 10 12.34.56.78 *. IN CNAME .}}}

This simply wildcards all lookups to resolve locally, and we now have spoofed everything. Works like a charm for us. May be of some use in the above proposed setup.

{{{> Hrm, interesting. What the hell does the "." and ".*" mean in the left > hand column? I assume that the CNAME is the magic ... hrm ... this just > confuses me. I'll have to just go think about it some more. :)}}}

"." is the "I'm the Top Level Domain". Instead of going out to the "a.root-servers.net" (or whatever root servers you specify), we're saying...dammit...I'm the ROOT server for the Internet.

The "*." is a wildcard, that says, anything you wanna resolve, I'll resolve to me ("." on the RHS), which is the 12.34.56.78 address.

If you had other DNS servers that you also wanted to tie into this config, you would have to configure their named.root file appropriately, like:

{{{. 3600000 IN NS dns.somedomain.net. dns.somedomain.net. 3600000 A 12.34.56.78}}}

Then, you'd have yourself a nice little containerized environment, where you're spoofing EVERYTHING to be whatever you want (i.e. 12.34.56.78 in this case). Obviously, all clients would have to use the "12.34.56.78" or other appropriately config'd DNS servers as their Resolvers.


[CategoryDocumentation]

DnsSpoofing (last edited 2007-11-23 18:01:54 by localhost)