[iodine-users] iodine mangling passthrough DNS queries?
Rick van Rein
rick at vanrein.org
Mon Mar 2 17:59:04 CET 2015
Hi Erik,
> Recommended way of running together with a 'real' nameserver is to
> filter based on packet content in the firewall,
> see this tip: http://dev.kryo.se/iodine/wiki/TipsAndTricks#Runningiodineside-by-sidewithanotherDNSserver
A few remarks to this iptables setup:
* The -j REDIRECT always ends up locally; this may not be ideal when using DNS in a container and filtering externally; but you can also use -j DNAT --to-destination <iodineIP>:<iodinePort>
* The --from parameters are better set to 40, avoiding more false positives by skipping not only the IPv4 header but also UDP, the DNS.flags and the 4 DNS counters.
* I couldn’t test because I setup with DNAT, but: Since the raw mode _starts_ with three fixed/known bytes, their exact position can be pinned and thus false positives avoided with --from 28 and --to 28 or about 31 — my setup doesn’t let me test what the value must be, and `iptables -m string -help` is not very clear on this:
--to Offset to stop searching
Of course, 28 skips IPv4 and UDP headers.
Cheers,
-Rick
More information about the iodine-users
mailing list