[iodine-users] iodine mangling passthrough DNS queries?

Rick van Rein rick at vanrein.org
Mon Mar 2 17:59:04 CET 2015


Hi Erik,

> Recommended way of running together with a 'real' nameserver is to
> filter based on packet content in the firewall,
> see this tip: http://dev.kryo.se/iodine/wiki/TipsAndTricks#Runningiodineside-by-sidewithanotherDNSserver

A few remarks to this iptables setup:

* The -j REDIRECT always ends up locally; this may not be ideal when using DNS in a container and filtering externally; but you can also use -j DNAT --to-destination <iodineIP>:<iodinePort>

* The --from parameters are better set to 40, avoiding more false positives by skipping not only the IPv4 header but also UDP, the DNS.flags and the 4 DNS counters.

* I couldn’t test because I setup with DNAT, but: Since the raw mode _starts_ with three fixed/known bytes, their exact position can be pinned and thus false positives avoided with --from 28 and --to 28 or about 31 — my setup doesn’t let me test what the value must be, and `iptables -m string -help` is not very clear on this:
	--to                         Offset to stop searching
Of course, 28 skips IPv4 and UDP headers.

Cheers,
 -Rick


More information about the iodine-users mailing list