[TriLUG] iptables question on redirection & circumvention reporting

Thomas Delrue via TriLUG trilug at trilug.org
Mon May 22 15:42:04 EDT 2017


Hello,

I have an internal network with a couple tens-to-hundred devices on it.
For internal reasons, everyone on the network should be using a specific
set of DNS servers; for giggles, let's assume that the IP of those DNS
servers are 10.0.0.2 & 10.0.0.3.
On router for this network, we've set it so that it will use that
particular DNS server to resolve domains and by default we use DHCP to
tell all clients to use their gateway when resolving DNS queries, thus
using 10.0.0.2 or 10.0.0.3.

However, I'm sure you feel where I'm going because there's always that
one guy/gal who's a tad bit too clever for their own good:
We've run some traces and figured out that some of the folks (these are
people who are tech-savy, don't have access to the router but do have
admin/root-powers on their own machines) have been setting their own
machines to use a non-sanctioned DNS server (e.g. 8.8.8.8 for you
google-people out there).

My question is twofold:

First: Is there a way, using iptables (or some other firewall), to
intercept DNS requests to anything but 10.0.0.2 and 10.0.0.3 and
redirect them to 10.0.0.2 or 10.0.0.3 in such a way that said users
would /think/ they get a response from 8.8.8.8 (i.e. they fire off their
request to 8.8.8.8) but they actually get a response from 10.0.0.2 or
10.0.0.3.

Second: If I wanted to figure out, on an ongoing basis (i.e. for future
attempts), how many of these things are happening, when they are
happening and who is using the non-sanctioned DNS server, so how would I
generate a log of this? I would want genuine requests (to 10.0.0.2 or
10.0.0.3) to /not/ show up in the log and non-genuine requests (to port
53 on /anything but/ either 10.0.0.2 or 10.0.0.3) to show up with
time-stamp and source IP.
What would this look like?

I was thinking about this and came up with something like this for
iptables but don't know if it would work, so before I deploy/test this,
I was wondering if there is anyone who would be able to tell me whether
this would/could work or if this is a dumb thing to do...

iptables -N DNS_MANDATE
# these two DNS servers are mandated
iptables -A DNS_MANDATE -d 10.0.0.2 --dport 53 -j ALLOW
iptables -A DNS_MANDATE -d 10.0.0.3 --dport 53 -j ALLOW
# log anything that hasn't returned
iptables -A DNS_MANDATE -j LOG --log-prefix "DNS Circumvention Attempt:"
# rewrite and redirect
##### [ ??? what goes here to do the actual redirect ??? ] #####
# We're done after the redirect, but let the redirect through
iptables -A DNS_MANDATE -j RETURN # Is this the right thing to do?

# put this in the output chain?
iptables -A OUTPUT -p tcp --dport 53 -j DNS_MANDATE
iptables -A OUTPUT -p udp --dport 53 -j DNS_MANDATE

For extra credit: how would I do this using ip6tables (for servers with
IPv6 addresses assigned)? Would it be massively different? What about
netfilter/nftables?


Thanks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20170522/852c6312/attachment.pgp>


More information about the TriLUG mailing list