How can I use iptables to duplicate outgoing DNS requests and send the copy to a different nameserver?
Clash Royale CLAN TAG#URR8PPP
up vote
-1
down vote
favorite
I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.
My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.
I am able to clone the DNS request with TEE successfully:
iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2
If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:
root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53
invalid connection to [...] from (UNKNOWN) [...] 60835
When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:
iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53
I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:
tcpdump -i any "port 53"
All help would be much appreciated. I've been blocked for over a week.
Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/
linux networking iptables iptables-redirect
New contributor
add a comment |Â
up vote
-1
down vote
favorite
I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.
My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.
I am able to clone the DNS request with TEE successfully:
iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2
If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:
root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53
invalid connection to [...] from (UNKNOWN) [...] 60835
When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:
iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53
I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:
tcpdump -i any "port 53"
All help would be much appreciated. I've been blocked for over a week.
Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/
linux networking iptables iptables-redirect
New contributor
Didn't you already ask exactly the same question?
â RalfFriedl
5 hours ago
No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/⦠That question is about incoming packets. This one is about outgoing packets.
â returneax
4 hours ago
add a comment |Â
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.
My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.
I am able to clone the DNS request with TEE successfully:
iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2
If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:
root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53
invalid connection to [...] from (UNKNOWN) [...] 60835
When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:
iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53
I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:
tcpdump -i any "port 53"
All help would be much appreciated. I've been blocked for over a week.
Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/
linux networking iptables iptables-redirect
New contributor
I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.
My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.
I am able to clone the DNS request with TEE successfully:
iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2
If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:
root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53
invalid connection to [...] from (UNKNOWN) [...] 60835
When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:
iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53
I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:
tcpdump -i any "port 53"
All help would be much appreciated. I've been blocked for over a week.
Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/
linux networking iptables iptables-redirect
linux networking iptables iptables-redirect
New contributor
New contributor
New contributor
asked 6 hours ago
returneax
992
992
New contributor
New contributor
Didn't you already ask exactly the same question?
â RalfFriedl
5 hours ago
No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/⦠That question is about incoming packets. This one is about outgoing packets.
â returneax
4 hours ago
add a comment |Â
Didn't you already ask exactly the same question?
â RalfFriedl
5 hours ago
No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/⦠That question is about incoming packets. This one is about outgoing packets.
â returneax
4 hours ago
Didn't you already ask exactly the same question?
â RalfFriedl
5 hours ago
Didn't you already ask exactly the same question?
â RalfFriedl
5 hours ago
No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/⦠That question is about incoming packets. This one is about outgoing packets.
â returneax
4 hours ago
No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/⦠That question is about incoming packets. This one is about outgoing packets.
â returneax
4 hours ago
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
returneax is a new contributor. Be nice, and check out our Code of Conduct.
returneax is a new contributor. Be nice, and check out our Code of Conduct.
returneax is a new contributor. Be nice, and check out our Code of Conduct.
returneax is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f474377%2fhow-can-i-use-iptables-to-duplicate-outgoing-dns-requests-and-send-the-copy-to-a%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Didn't you already ask exactly the same question?
â RalfFriedl
5 hours ago
No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/⦠That question is about incoming packets. This one is about outgoing packets.
â returneax
4 hours ago