From owner-freebsd-questions@FreeBSD.ORG Sun Feb 8 03:01:21 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1394316A4CE for ; Sun, 8 Feb 2004 03:01:21 -0800 (PST) Received: from mail002.syd.optusnet.com.au (mail002.syd.optusnet.com.au [211.29.132.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2459F43D1F for ; Sun, 8 Feb 2004 03:01:20 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-189.eburwd5.vic.optusnet.com.au [211.28.241.189])i18B1IV07888 for ; Sun, 8 Feb 2004 22:01:18 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id 39F4D346; Sun, 8 Feb 2004 22:01:18 +1100 (EST) Date: Sun, 8 Feb 2004 22:01:18 +1100 From: Tony Frank To: FreeBSD Questions Message-ID: <20040208110118.GC92622@marvin.home.local> References: <20040207184646.GA86056@keyslapper.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040207184646.GA86056@keyslapper.org> User-Agent: Mutt/1.4.1i Subject: Re: [maybe OT] IP/UDP/DNS packet manipulation question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Feb 2004 11:01:21 -0000 Hi there, On Sat, Feb 07, 2004 at 01:46:46PM -0500, Louis LeBlanc wrote: > That is to say it will accept DNS requests from local agents, filter > out IPV6 request packets, and forward IPV4 requests to our backend DNS > server in a way that the backend server will believe it has received > them directly from the local server and send the response directly > back to the local DNS agent, not the filter/forwarder. > > As I understand things, this will mean rewriting the outgoing IP > header, UDP header (TCP support is not needed), so that they each > contain the address of the local agent as the sender IP, and leaving > the DNS header unchanged. Or better yet, simply forwarding the entire > IP packet unchanged so that even the IP identification field is > intact. > The DNS header is easy enough, since that's in the application layer, > but I'm having trouble finding out how to rewrite the transport and > network layer headers, or to simply forward the whole packet. You might be able to do this with one of the various firewalls already. Perhaps check out ipfilter and pf. If using ipfw you can divert all DNS traffic to a divert(4) socket which you can then connect to your DNS application. If the application likes what it sees it can send the packet back via divert for forwarding to the real DNS target - no modifications necessary. If the DNS packet doesnt meet the specs, it can be dropped. Another possibiliy might be a netgraph module, although netgraph seems typically more suited to layer2 type applications. Hope it helps, Tony