Captive DNS REDIRECT problems. Need a stateless/fast timeout udp connection.

Harold Burchey harold.a.burchey at
Sun Apr 3 09:20:07 CEST 2005

On Sun, 03 Apr 2005 01:38:03 -0500
Dave Cinege <dcinege-mlists-dated-1112942287.e58b6f at> wrote:

> Here in lies the problem. When an unauthorized host first hits port 53 and is 
> redirected to 5353 a udp connection track stream is tacked up. Once they 
> become authorized their 'ACCEPT' rule in inserted, however the original 
> 53->5353 REDIRECT stream is still alive, and will continued to be used until 
> it times out. During this time the host is dead in the water with no 'real' 
> DNS.

Let's say your existing ethernet device is eth0. Is is possible to
physically add a second ethernet device, say eth1? Then you could route
everything from eth0 to eth1 and put the dummy redirections on eth1.
Then whenever you want to override the dummy redirections you insert iptables
rules on eth0.

I've never tried anything like this and am totally guessing, so I could
(am probably) way off track, but anyways :)

More information about the netfilter mailing list