From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Mark Alzino <tirixil@hotmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: How to change DNS with iptables rules ?
Date: Thu, 27 May 2004 04:11:19 -0400 [thread overview]
Message-ID: <1085645336.10065.7.camel@localhost> (raw)
In-Reply-To: <BAY16-F67ZBNCogiwHs000430ac@hotmail.com>
On Tue, 2004-05-25 at 09:23, Mark Alzino wrote:
> Hello,
>
> I have two DNS server : one at 10.0.0.254 and one at 192.168.10.254.
> I just want to dynamically change the DNS for a user (at 10.0.0.1 for
> example), but there is a time for the iptables rules to be activate.
> Here is more explanation.
>
>
> I use two DNS servers (bind 9), in the same host, with two interfaces. Each
> one ONLY listens on one interface (So, must not answer to a request related
> to an other one !).
>
> At the begining, the user has the 10.0.0.254 server. Then I add rules in
> order to change the DNS for 192.168.10.254.
> I use this the following rules :
> iptables -A PREROUTING -s 10.0.0.1 -d 10.0.0.254 -t nat -p UDP --dport 53 -j
> DNAT --to-destination 192.168.10.254
> iptables -A PREROUTING -s 10.0.0.1 -d 10.0.0.254 -t nat -p UDP --sport 53 -j
> DNAT --to-destination 192.168.10.254
>
> ** BUT ** : during a period (between 0 and 3 minutes), the user is ALWAYS
> CONNECTED TO the
> 10.0.0.254 server !!
> In others words, I always have what I should have, but I have to wait for a
> minute to have this...
>
> How it is possible ??
>
>
> - Are the rules rights ??
> - Is there really a time for the PREROUTING target to be activate (Is that
> it seem to be, but generally speaking rules are immediate...) ?
> - DNS (bind) listen at the begining only on one interface and listen on all
> interface if it recognize a user he has served ? (!!!)
> - Anyone has the answer ? :-)
<snip>
How are you determining which DNS the user is using? Is it by seeing
which address it uses for a previously used query? Could it be that the
client is caching a previous DNS response? If you put a protocol
analyzer on the wire, is the client actually making a DNS request when
you think it is or is it not putting a DNS packet on the wire at all, in
other words, using some cached information? Hope this helps - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-05-27 8:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-25 13:23 How to change DNS with iptables rules ? Mark Alzino
2004-05-27 8:11 ` John A. Sullivan III [this message]
2004-05-27 22:26 ` Jorge Davila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1085645336.10065.7.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=netfilter@lists.netfilter.org \
--cc=tirixil@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.