RE: DNS and iptables : is this rule bad ??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 

-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Mark Alzino
Sent: Friday, May 28, 2004 8:27 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: DNS and iptables : is this rule bad ??

Hello,

Here is my problem more simply explained ...

An user (IP address : 10.0.0.1) has a DNS server IP address specified in his
configuration (we don't know the address, and maybe this address is invalid
so we want to change it with a iptables rules).

His gateway is 10.0.0.254. The gateway has another interface at
192.168.100.254 where a DNS server is launch (by named).
At the gateway, a iptables rule send all his DNS packets at the DNS server
(192.168.100.254)
The rule is :
iptables -A PREROUTING -t nat -s 10.0.0.1 -p UDP --dport 53 -j DNAT
--to-destination 192.168.100.254

** BUT ** this rule is not effective immediately, and take fews minutes
before to be active !!!
Same thing if you flush the nat table (iptables -F PREROUTING -t nat ) : the
last DNS is active during some minutes (sometimes immediately but not
systematically)...

To easely see that : just put an invalid DNS server in the configuration of
the client, and a real one at the gateway (192.168.100.254). You will see
that rules are not immediately active !!!

Is someone know why ???

Thanks.
-- Mark

_________________________________________________________________
Bloquez les fenêtres pop-up, c'est gratuit ! http://toolbar.msn.fr


This doesn't appear to be a problem with netfilter/iptables, but rather, I
would guess, DNS. The rule will "take effect" immediately once it is loaded,
and trigger upon match. I would venture to say you may have some
interference from an entry in the /etc/hosts file or cached DNS entries. I
would try flushing the DNS cache instead of the NAT table.



########################################################
This message has been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.

postmaster@xxxxxxxxxxxxxxx
MailScanner at bandwidthco.com is for your absolute protection.
########################################################
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux