Date: Sat, 7 Feb 2004 13:46:46 -0500 From: Louis LeBlanc <freebsd@keyslapper.org> To: FreeBSD Questions <freebsd-questions@FreeBSD.org> Subject: [maybe OT] IP/UDP/DNS packet manipulation question Message-ID: <20040207184646.GA86056@keyslapper.org>
next in thread | raw e-mail | index | archive | help
I know this might be a pretty technical question for this list, but this is the one I'm subscribed to, so please bear with me. I have a project that requires some creative network development. I'm to come up with a DNS based daemon that performs filtering and forwarding of DNS request packets, but doesn't actually proxy them. The platform is to be FreeBSD, otherwise I wouldn't bother anyone here. That is to say it will accept DNS requests from local agents, filter out IPV6 request packets, and forward IPV4 requests to our backend DNS server in a way that the backend server will believe it has received them directly from the local server and send the response directly back to the local DNS agent, not the filter/forwarder. As I understand things, this will mean rewriting the outgoing IP header, UDP header (TCP support is not needed), so that they each contain the address of the local agent as the sender IP, and leaving the DNS header unchanged. Or better yet, simply forwarding the entire IP packet unchanged so that even the IP identification field is intact. The DNS header is easy enough, since that's in the application layer, but I'm having trouble finding out how to rewrite the transport and network layer headers, or to simply forward the whole packet. There is an excellent proxy in the ports, dnsproxy by Armin Wolfermann, but this actually handles the responses itself, which I want to avoid. I've been through the Stevens books, and no hint on how to do any of this. I thought I could simply bind the socket to the address in question, but according to the bind(2) manpage, that would return a EADDRNOTAVAIL error. I've also been through the ports/dns/ and ports/net/ ports, and it doesn't look like there's anything to perform IP/UDP forwarding. Can anyone shed some light here, or maybe tell me where I can find the relevant info to help with this? Is rewriting these headers even necessary if the DNS packet can be sent unaltered? Is multilayer source address comparison a standard security check? Thanks Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ hacker, n.: A master byter.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040207184646.GA86056>