pantz.org banner
Using dnsspoof to cut bandwidth on internal traffic
Posted on 07-21-2006 03:22:00 UTC | Updated on 07-21-2006 03:22:00 UTC
Section: /software/dsniff/ | Permanent Link

So here is the scenario. You have a private network behind a NAT router. The private network has servers that have two network interfaces. One with private ip's and one with public ip's. Some servers just have ports being forwarded from the NAT router to one interface on servers with a private inteface. Now these public ip's have DNS names attached to them. They have DNS names on the internal network. The zones are served out by the internal DNS servers with internal ip's. They also have DNS names on the external network. These DNS names have have zones that are served by an external DNS server on a public address that we have no control over.

When a user on the internal network makes a request to one of the internal DNS servers they do the zone lookup for the domain requested. If they don't own that zone they forward the request to the external upstream DNS servers for an answer. That answer comes back with the public ip that server. So the person who made the request makes a connection to the server using it's public ip address. Everything will work perfectly fine. Problem is the same service is is running on the internal ip of the same server they are trying to contact. Contacting it internally it's like 2 or 3 hops over the network. Contacting the server with the external ip the hops go up to like double or triple that. How inefficient and slow.

So to fix this all we really want to do is tell the internal DNS servers that if they recieve any queries for specific external names respond with the internal ip addresses of those servers and let any other query for those zones through. Easier said than done. DNS is a bit strict about zones. You either own the whole zone or you don't. So if we put that zone in our internal DNS server we would have to know all the ip's for that zone so any name looked up by internal clients would work correctly. We only know the names for the servers names we have in the zone. You can't just put part of a zone in a dns server and tell the DNS daemon to forward the rest of the queries. That is as far as I know you can't. You either forward all the queries on zones you don't have or give answers to queries on zones you do control.

The hack to work around this is not pretty but it works great. I downloaded source for the suite of programs called Dsniff created by Dug Song. This is a great package for evaluating the security of your network. Anyway there is a program in there called dnsspoof. It will listen on your network interface and rewrite and respond to DNS queries coming into that interface. You list the host names and matching ip's in a file and give it to dnsspoof. If a query comes in with that name it responds with the ip you gave in the file.

So you just give it a list of your external names your servers are known by and the internal ip that same server is known by. Run it on your internal (caching) DNS servers and they will respond with the internal ip anytime they specified external name is queried. Any other queries not on the dnsspoof list is ignored by it. The query then reaches the actual DNS service and it is forwarded upstream for the name lookup. The external ip address is returned like usual.

The only problem I found with this is the program rsh does not like when the reverse and forward lookup hostnames don't match. So I had to edit the source of dnsspoof to disable reverse DNS lookups (PTR records). Since I really only needed forward (A record) lookups anyway this was not a big deal.

The results are fantastic. Traffic that used to go all the way out of the network then come back in is now staying local. Bandwidth to the outside interface has dropped by a large margin. Users can access the local services that have public and private addresses at gigabit speeds instead of the speeds of the external networks.

Reddit!

Related stories


RSS Feed RSS feed logo

About


3com

3ware

alsa

alsactl

alsamixer

amd

android

apache

areca

arm

ati

auditd

awk

badblocks

bash

bind

bios

bonnie

cable

carp

cat5

cdrom

cellphone

centos

chart

chrome

chromebook

cifs

cisco

cloudera

comcast

commands

comodo

compiz-fusion

corsair

cpufreq

cpufrequtils

cpuspeed

cron

crontab

crossover

cu

cups

cvs

database

dbus

dd

dd_rescue

ddclient

debian

decimal

dhclient

dhcp

diagnostic

diskexplorer

disks

dkim

dns

dos

dovecot

drac

dsniff

dvdauthor

e-mail

echo

editor

emerald

encryption

ethernet

expect

ext3

ext4

fat32

fedora

fetchmail

fiber

filesystems

firefox

firewall

flac

flexlm

floppy

flowtools

fonts

format

freebsd

ftp

gdm

gmail

gnome

google

gpg

greasemonkey

greylisting

growisofs

grub

hacking

hadoop

harddrive

hba

hex

hfsc

html

html5

http

https

hulu

idl

ie

ilo

intel

ios

iperf

ipmi

iptables

ipv6

irix

javascript

kde

kernel

kickstart

kmail

kprinter

krecord

kubuntu

kvm

lame

ldap

linux

logfile

lp

lpq

lpr

maradns

matlab

memory

mencoder

mhdd

mkinitrd

mkisofs

moinmoin

motherboard

mouse

movemail

mplayer

multitail

mutt

myodbc

mysql

mythtv

nagios

nameserver

netflix

netflow

nginx

nic

ntfs

ntp

nvidia

odbc

openbsd

openntpd

openoffice

openssh

openssl

openvpn

opteron

parted

partimage

patch

perl

pf

pfflowd

pfsync

photorec

php

pop3

pop3s

ports

postfix

power

procmail

proftpd

proxy

pulseaudio

putty

pxe

python

qemu

r-studio

raid

recovery

redhat

router

rpc

rsync

ruby

saltstack

samba

schedule

screen

scsi

seagate

seatools

sed

sendmail

sgi

shell

siw

smtp

snort

solaris

soundcard

sox

spam

spamd

spf

spotify

sql

sqlite

squid

srs

ssh

ssh.com

ssl

su

subnet

subversion

sudo

sun

supermicro

switches

symbols

syslinux

syslog

systemd

systemrescuecd

t1

tcpip

tcpwrappers

telnet

terminal

testdisk

tftp

thttpd

thunderbird

timezone

ting

tls

tools

tr

trac

tuning

tunnel

ubuntu

unbound

vi

vpn

wget

wiki

windows

windowsxp

wireless

wpa_supplicant

x

xauth

xfree86

xfs

xinearama

xmms

youtube

zdump

zeromq

zic

zlib