DNS and NAT

Suzana Lojic-Skoric s_lojic at hotmail.com
Fri Jul 15 18:30:57 CEST 2005



>From: Jörg Harmuth <harmuth at mnemon.de>
>To: netfilter at lists.netfilter.org
>Subject: Re: DNS and NAT
>Date: Fri, 15 Jul 2005 10:53:17 +0200
>
>Suzana Lojic-Skoric schrieb:
>
> > I don't think proxy can help because it is just caching the web pages,
> > it does not change the IP addresses. I'll check if tunneling can help,
> > if not then I'll have to change iptables to inspect DNS answer and
> > replace the IP in the payload.
>
>No. Introducing a proxy at the right location, is much more than just
>caching web sites. It means significant changes to at least to the IP
>headers.
>
>Wether a proxy helps you or not depends totally on where you place the
>proxy. If you place it on the nat box (like primero said) or between
>this nasty dropping box and the nat box, everything is probably fine.
>The requests will then go to 10.x.x.x and the answers will originate
>from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the
>*data* part of the 4th packet - not in the headers (headers are
>src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't
>scan the packets payload for proxy requests and the like and drops them,
>everything should work.

I can put the proxy on the NAT machine.
As I said, right now just with the NAT, if I send a DNS request for the 
google.com from the client 10.0.0.1 behind the nasty dropping box, it will 
go out through the nasty dropping box and the NAT gateway. NAT will change 
its 10.x.x.x source and destination from 10.x.x.x to some outside addresses 
e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source and 
destination gets translated back to 10.x.x.x and 10.0.0.1 destination, and 
the google address 216.239.39.99 is within the *data* part. This goes fine 
through the nasty dropping box back to the client 10.0.0.1. Client then 
takes the answer from the data part of the message, which is 216.239.39.99 
and tries to contact it. It sends an HTTP message to destination 
216.239.39.99. This gets dropped on the nasty dropping box since it is not 
10.x.x.x (This is what's happening when you type in www.google.com in the 
browser on the client 10.0.0.1).
So the DNS request and answer can get through the internal network, but what 
I need is to somehow replace the 216.239.39.99 that is embedded in the DNS 
*data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is actually 
216.239.39.99. to be able to translate it for outside.

Do you still think proxy can help?
>
>If, on the other side, it is only possible to place the proxy between
>the clients and this nasty dropping box, you're out of luck and a proxy
>helps nothing at all. But as far as I understood - and you provided
>information - you have access to the nat box. So, this should not be the
>case.
>
>BTW, would you please be so kind and provide sufficient information
>about your problem in the first posting (introducing this nasty box
>changes the whole situation) ? This way people who want to help you do
>not have to feel like the "Oracle of Delphi" ;) Thanks.

I'll do it next time :) I was afraid it would be too long for anybody to 
read it. Thanks for your help.

Suzana

>
>Have a nice time,
>
>Joerg
>
>

_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented Microsoft® 
SmartScreen Technology. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.




More information about the netfilter mailing list