RE: DNS Manipulation via IPTables or other means?

["Paul Ryland" <paul () transversal com>]

> honestly , I have worked with iptables in really complex 
> environments for many years, i never have heard of 
> manipulating dns records on the fly, I don't even think you 
> can do this with string matching since string matching lets 
> you check for a string, not manipulate it.
>
> I really wonder why views aren't scalable, maybe there is 
> another solution, I always draw my stuff out on paper (yes 
> REAL paper :)) and visualize it that way, then find easier 
> solution by looking at the picture. Views in Bind are meant 
> for this kind of thing , different access control from 
> different ips give you different results. Would you mind 
> sharing some more info? maybe the amount of views you are 
> handling etc. Maybe someone comes up with a more streamlined idea?

Consider this example, your company wants to provide access to a 
partner company over an IPSec VPN connection.  The servers at both 
companies are on the same 192.168.1.0/24 network.  Your company 
wants to also forward DNS requests to your partner company's DNS 
server for lookups involving their internal DNS domain.

There are several points worth noting about this setup:

i) NAT will have to be used to prevent the two internal networks 
colliding

ii) your partner company's DNS server will be returning addresses on 
your own network, not on the remote NAT'ed network.

ii) you might not be able to request views on your partner company's
DNS server

iii) it is not a scalable and maintainable solution to provide spoofed
zones for your partner company's DNS zones.

An ideal solution (as provided by the PIX) is to manipulate the DNS
responses from your partner company's DNS server.

I've never even bothered trying to set-up a deployment, with these 
issues, with IPTables --- any pointers as to how to do this with IPTables 
would be greatly appreciated.


Paul