How can I use iptables to duplicate outgoing DNS requests and send the copy to a different nameserver?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
-1
down vote

favorite












I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.



My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.



I am able to clone the DNS request with TEE successfully:



iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2


If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:



root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53


invalid connection to [...] from (UNKNOWN) [...] 60835



When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:



iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53


I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:



tcpdump -i any "port 53"


All help would be much appreciated. I've been blocked for over a week.



Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/










share|improve this question







New contributor




returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Didn't you already ask exactly the same question?
    – RalfFriedl
    5 hours ago










  • No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/… That question is about incoming packets. This one is about outgoing packets.
    – returneax
    4 hours ago














up vote
-1
down vote

favorite












I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.



My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.



I am able to clone the DNS request with TEE successfully:



iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2


If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:



root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53


invalid connection to [...] from (UNKNOWN) [...] 60835



When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:



iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53


I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:



tcpdump -i any "port 53"


All help would be much appreciated. I've been blocked for over a week.



Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/










share|improve this question







New contributor




returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Didn't you already ask exactly the same question?
    – RalfFriedl
    5 hours ago










  • No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/… That question is about incoming packets. This one is about outgoing packets.
    – returneax
    4 hours ago












up vote
-1
down vote

favorite









up vote
-1
down vote

favorite











I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.



My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.



I am able to clone the DNS request with TEE successfully:



iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2


If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:



root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53


invalid connection to [...] from (UNKNOWN) [...] 60835



When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:



iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53


I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:



tcpdump -i any "port 53"


All help would be much appreciated. I've been blocked for over a week.



Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/










share|improve this question







New contributor




returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I have a host running Debian which is making DNS requests to some nameserver. My goal is to copy the outgoing DNS requests, change the destination IP and fire away. The authoritative copy is still the original request, the duplicated requests response should be ignored.



My hope is that I can use iptables TEE with DNAT to first copy the DNS request to localhost, then to change the destination IP on it to be that of my DNS monitoring solution, which is somewhere on the WAN.



I am able to clone the DNS request with TEE successfully:



iptables -t mangle -A OUTPUT -p udp --dport 53 --destination NORMAL_NAMESERVER -m state --state NEW,ESTABLISHED,RELATED -j TEE --gateway 127.0.0.2


If I then run netcat, I see a copied DNS packet, though it gives me a weird error message:



root@dns-cloning-test:~# sudo nc -u -l 127.0.0.1 -p 53


invalid connection to [...] from (UNKNOWN) [...] 60835



When I try to use DNAT, I just don't see any outbound traffic to 8.8.8.8, my test IP:



iptables -t nat -A PREROUTING -j DNAT -i eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED --to-destination 8.8.8.8:53


I've been using tcpdump to monitor for outbound packets to 8.8.8.8. Very liberal filter:



tcpdump -i any "port 53"


All help would be much appreciated. I've been blocked for over a week.



Caveats to preempt some answers: I can't change the nameserver it makes requests to. I'd prefer not to add any new software. For those curious, my goal is to get DNS data into a DNS monitoring solution. This article and other sources around the web make me think this should be possible: https://zapier.com/engineering/iptables-replication/







linux networking iptables iptables-redirect






share|improve this question







New contributor




returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 6 hours ago









returneax

992




992




New contributor




returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






returneax is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Didn't you already ask exactly the same question?
    – RalfFriedl
    5 hours ago










  • No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/… That question is about incoming packets. This one is about outgoing packets.
    – returneax
    4 hours ago
















  • Didn't you already ask exactly the same question?
    – RalfFriedl
    5 hours ago










  • No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/… That question is about incoming packets. This one is about outgoing packets.
    – returneax
    4 hours ago















Didn't you already ask exactly the same question?
– RalfFriedl
5 hours ago




Didn't you already ask exactly the same question?
– RalfFriedl
5 hours ago












No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/… That question is about incoming packets. This one is about outgoing packets.
– returneax
4 hours ago




No, but they're similar. The question you are referring to is here: serverfault.com/questions/934451/… That question is about incoming packets. This one is about outgoing packets.
– returneax
4 hours ago















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






returneax is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f474377%2fhow-can-i-use-iptables-to-duplicate-outgoing-dns-requests-and-send-the-copy-to-a%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes








returneax is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















returneax is a new contributor. Be nice, and check out our Code of Conduct.












returneax is a new contributor. Be nice, and check out our Code of Conduct.











returneax is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f474377%2fhow-can-i-use-iptables-to-duplicate-outgoing-dns-requests-and-send-the-copy-to-a%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?