Hello, I have an internal network with a couple tens-to-hundred devices on it. For internal reasons, everyone on the network should be using a specific set of DNS servers; for giggles, let's assume that the IP of those DNS servers are 10.0.0.2 & 10.0.0.3. On router for this network, we've set it so that it will use that particular DNS server to resolve domains and by default we use DHCP to tell all clients to use their gateway when resolving DNS queries, thus using 10.0.0.2 or 10.0.0.3. However, I'm sure you feel where I'm going because there's always that one guy/gal who's a tad bit too clever for their own good: We've run some traces and figured out that some of the folks (these are people who are tech-savy, don't have access to the router but do have admin/root-powers on their own machines) have been setting their own machines to use a non-sanctioned DNS server (e.g. 8.8.8.8 for you google-people out there). My question is twofold: First: Is there a way, using iptables (or some other firewall), to intercept DNS requests to anything but 10.0.0.2 and 10.0.0.3 and redirect them to 10.0.0.2 or 10.0.0.3 in such a way that said users would /think/ they get a response from 8.8.8.8 (i.e. they fire off their request to 8.8.8.8) but they actually get a response from 10.0.0.2 or 10.0.0.3. Second: If I wanted to figure out, on an ongoing basis (i.e. for future attempts), how many of these things are happening, when they are happening and who is using the non-sanctioned DNS server, so how would I generate a log of this? I would want genuine requests (to 10.0.0.2 or 10.0.0.3) to /not/ show up in the log and non-genuine requests (to port 53 on /anything but/ either 10.0.0.2 or 10.0.0.3) to show up with time-stamp and source IP. What would this look like? I was thinking about this and came up with something like this for iptables but don't know if it would work, so before I deploy/test this, I was wondering if there is anyone who would be able to tell me whether this would/could work or if this is a dumb thing to do... iptables -N DNS_MANDATE # these two DNS servers are mandated iptables -A DNS_MANDATE -d 10.0.0.2 --dport 53 -j ALLOW iptables -A DNS_MANDATE -d 10.0.0.3 --dport 53 -j ALLOW # log anything that hasn't returned iptables -A DNS_MANDATE -j LOG --log-prefix "DNS Circumvention Attempt:" # rewrite and redirect ##### [ ??? what goes here to do the actual redirect ??? ] ##### # We're done after the redirect, but let the redirect through iptables -A DNS_MANDATE -j RETURN # Is this the right thing to do? # put this in the output chain? iptables -A OUTPUT -p tcp --dport 53 -j DNS_MANDATE iptables -A OUTPUT -p udp --dport 53 -j DNS_MANDATE For extra credit: how would I do this using ip6tables (for servers with IPv6 addresses assigned)? Would it be massively different? What about netfilter/nftables? Thanks
Attachment:
signature.asc
Description: OpenPGP digital signature