3

Overview:

I have software that has our Edge/DNS servers hardcoded into them, DNS queries returned from DNS servers are not being masked properly. I need the DNS entries that are returned from BIND query requests to be masked with the originating server that has requested the query and not the DNS servers IP. The reason for why I want the masking is so that if an attacker were to get ahold of one of my edge server IP's and DDoS it, they would not be able to get ahold of the other servers IPs and DDoS or attack them as well.

The diagram below illustrates a simple version of what I'm trying to accomplish.

There are two types of ways the users can connect:

  • Directly to the edge server IP that is provided to them/hardcoded in

OR

  • Directly connect to their edge server assigned, and then via a web interface they select which office/server to connect to which on the backend does a iptables REDIRECT on their edge server which goes over a VPN tunnel.

Problem:

Sequence of events:

  1. User2 connects to their edge server(server2)
  2. edge server2 redirects their query to edge server1
  3. edge server1 returns back to edge server2 the query response with edge server1's IP embedded in the DNS packet.
  4. User gets hidden edge server IP that they should not know of.

Core problem:

Edge server's IP is embedded in the DNS response packet and needs to be masked to the original edge servers IP that the User is connected to

Problem

DNS Lookup example output:

  • User2 queries for google.ca
  • DNS Server1 processes the query and returns the result of it's own IP and not google's IP.

Lookup request(wrong):

nslookup google.ca
Server:  UnKnown
Address:  2.2.2.2
Name:    google.ca
Address:  1.1.1.1

Lookup Request that should be showing:

nslookup google.ca
Server:  UnKnown
Address:  2.2.2.2
Name:    google.ca
Address:  2.2.2.2

Below is a large scaled version of the network/system that is built.

Offices can have one or more servers in them depending on how many users.

(This is just illustrated to give you an idea of how it needs to scale)

Infrastructure

What I've tried:

  • iptables pre/post routing(didn't mask)
  • Played with BIND configuration(altered the db.override file to return the servers IP) which worked but would require an individual server per edge server due to this file not being able to be real-time updated.

Potential Solutions Theory:

  • Layer 7 solution that can alter the DNS query results IP, whether its a firewall or a sniffer/injection script that forces particular queries to show the original edge servers IP.
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
RCG
  • 794
  • 1
  • 6
  • 15
  • 1
    Is there some reason why you can't just run a DNS server on the box, and then to a simple iptables REDIRECT 53 so that the running DNS server handles everything? Then just configure DNS server to serve whatever records you like. – Zoredache Oct 07 '14 at 19:24
  • the redirect on server1 is what we currently use. However when the response is returned from server2's DNS server, it shows the server2's IP when we require it to show server1's IP as we don't want the internal IP to be disclosed. – RCG Oct 07 '14 at 19:26
  • 2
    You really need to spend more time describing what your actual problem is. Instead of trying to focus on asking us to recommend some product as a solution. Plus you have given us a weird set of requirements. What exactly is a `my own custom linux setup`? Almost all general purpose distros are heavily customizable. Popular Server distros include Centos,Redhat,Debian,UbuntuServer... – Zoredache Oct 07 '14 at 19:35
  • @Zoredache we went through all this with Ryan this morning - he's firmly stuck in an xy situation http://serverfault.com/questions/634079/layer-7-dns-altering-solutions – user9517 Oct 07 '14 at 19:40
  • @Zoredache yes like lain stated, I had explained my situation in great detail before but was told to keep it all very simple. I'm stuck in a situation where my ISP cannot run custom distros, I am using ubuntu server edition 14.04. I have customized the system to work with the requirements of the project. -Clients must access server2 via vpn, -Clients access via various VPN servers, thus BIND alterations wont appear to work. -DNS query returned address must be altered inside the packet, not just the header of the direction of the packet. – RCG Oct 07 '14 at 19:54
  • Ryan, you were asked to describe the problem you are trying to solve which you almost did in a comment - you know the issue with the vpn users ... You seem stuck in an x/y situation. If you describe the root problem someone here may have an elegant solution for you. As is is everyone just thinks wtf is he trying to do. – user9517 Oct 07 '14 at 20:00
  • [What is an x/y problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem/66378#66378) – user9517 Oct 07 '14 at 20:07
  • yes i realize its a bit of a tunnel vision situation. My servers are built to run DNS/HTTP proxy and are utilized as an edge/internal server. Sort of a all-in-one solution setup. However when VPN users connect, they're connecting from various other edge servers. We have a web interface where our clients can switch servers without altering their DNS entry, since the software that is utilizing the DNS for lookups is hardcoded to specific edge servers. We are afraid of other edge servers being DDoSd so we've tried to hide them via iptables redirects over the internal LAN where edge servers reside – RCG Oct 07 '14 at 20:11
  • Our primary concern is users seeing the other edge servers and if an attacker is trying to target us, they could potentially find all the other edge server IP's other than the one they've found. Thus why we have tried to hide the edge servers with iptables redirects. However BIND uses static IPs in the configurations and returns in the queries at layer 7 the BIND servers IP instead of the originating edge server that relayed the request. – RCG Oct 07 '14 at 20:15
  • 2
    So I looked at the deleted question Iain linked to, and combined that with what you have written here and I still can't follow what is going on. This is the time where I think a **picture would be worth a thousand words**. A good network diagram combined with a good combined with really good labeling. At the moment you your abstraction and obfuscation of the details in both the previous question and this one make it very hard to follow. – Zoredache Oct 07 '14 at 20:44
  • I'll work on a diagram and edit the question. Thanks for the input so far. – RCG Oct 07 '14 at 20:58
  • I have updated the question, look forward to responses, thanks. – RCG Oct 08 '14 at 01:03
  • 1
    This is investing far too much effort into solving a perceived problem in an overly convoluted way. Your contingencies *must* be designed around the assumption that knowledge of the DNS server IPs will be leaked. [Smoke and mirrors will not save you.](http://serverfault.com/a/579396/152073) (yes, I know the linked question is different, but the answer is the same) – Andrew B Oct 08 '14 at 04:03
  • security by obscurity never really works.. . – The Unix Janitor Feb 13 '15 at 07:46

0 Answers0