0

I have a requirement that I believe may be impossible and wanted to confirm this with experts in this community.

A client wants us to configure a DNS server to resolve certain domains to an IP address of a server under our control (poisoned DNS). The server associated with this poisoned record should forward / redirect all non-http traffic to the actual IP address associated with the canonical DNS record. However, for all port 80 (http) traffic, it should intercept the request and proxy it, possibly modifying the response.

Is the above approach feasible? If not, are there other ways this problem can be approached short of requiring specialized gateway hardware?

Ideally the system will minimize bandwidth usage & latency for non-http traffic without requiring anything besides DNS or firewall configuration. I realize we can forward all http traffic at the firewall level, but the client wants to avoid http requests to CDNs or media heavy sites as well as minimize deployment effort across disparate network configurations.

Update Forwarding port 80 traffic isn't enough for us as we want to minimize latency for certain domains (such as those associated with CDNs or partner sites).

Update OpenDNS has something called blocked page proxy but that merely displays an authentication form. It doesn't actually proxy the request to a server under our control.

Misc Notes This could in theory be possible if we had a large block of public IP addresses that could intelligently route based on the sender's IP to the proper destination, but the engineering effort required there to keep the DNS request and subsequent requests to that same domain in sync would be immense. Not to mention we would be limited from a concurrency perspective. This is probably similar to how OpenDNS does their DNS+Proxying, but they only seem to do it for google.com. This needs to work for an arbitrary set of domains (potentially all of them).

henryl
  • 139
  • 2
  • 3
    Sorry, I am not entirely sure what you want. Can you try to be more clear? – Zoredache Aug 15 '10 at 20:07
  • Have you looked into existing (commercial) solutions? – Andrew Aug 15 '10 at 22:54
  • "IP address associated with the real DNS record as accurately as possible" - what is this: as accurately as possible? – sybreon Aug 16 '10 at 02:17
  • @zoredache, updated the question. Sorry, wrote in a hurry. @Andrew, not aware of any that exist besides hardware based solutions that need to be part of the LAN. Looking for a cloud based solution (already ruled OpenDNS out). @sybreon, our poisoned DNS will send all traffic to us for a particular domain, but we only want to intercept HTTP requests while forwarding other packets to the actual destination IP associated with the canonical DNS record for the domain. – henryl Aug 17 '10 at 17:04
  • I don't see how this would work: if you're poisoning the DNS, how do you know where to redirect the HTTP or the non-HTTP traffic to after you've intercepted it? This "proxy router" device would see packets come in with a dst_ip of... your "proxy router" device. – gravyface Aug 17 '10 at 18:58
  • Which is why I was thinking it was a hard problem. In theory you could keep in mind the origin IP when serving the DNS record, mapping it to a target domain when that same IP makes a request to the router. You would be limited in the number of concurrent domains you could serve per origin IP, but you could set the TTL to a low value to compensate. Come to think of it, this is kinda like a router in reverse. – henryl Aug 17 '10 at 21:56

1 Answers1

1

A client wants us to configure a DNS server to point all non-whitelisted domains to an IP address of a server on the internet. This server should forward / redirect all non-http traffic to an IP address associated with the real DNS record as accurately as possible. However, for all port 80 traffic, it should intercept the traffic and forward to a web proxy.

Your question is confusing, but if I'm interpreting this correctly, it sounds like you're describing a transparent intercepting HTTP proxy. There are many products that can do this, as well as open source solutions such as Squid.

You don't have to do anything with DNS to accomplish this, you only need an edge router/firewall that supports policy routing to forward any packet with a destination protocol/port of TCP 80 to your (internal/external) Squid proxy.

This way, all your non-HTTP requests go where you want them to, and your HTTP requests go through your proxy.

If this is not what you're trying to do, you should edit your question to reflect that.

gravyface
  • 13,957
  • 19
  • 68
  • 100