Selective DNS Spoofing

Jim Reid jim at rfc1035.com
Sun Mar 25 17:41:32 UTC 2001


>>>>> "Bob" == Bob Steele <rsteele at 1stlink.net> writes:

    Bob> I have a unique problem that I suspect will require the
    Bob> modification of the BIND source to solve. 

Nope.

    Bob> I believe the only way to build this functionality into the
    Bob> free dial service is to modify BIND in such a way that it
    Bob> determines which inquiries to process normally, and which
    Bob> inquiries to spoof.  Because the guest users have a
    Bob> distinguishable IP address there should not be a lot of
    Bob> overhead in determining which inquiries require modification.

Use the views mechanism in BIND9. A name space can be tagged to IP
addresses. So if the guest account IP addresses are fixed and known in
advance, present them with a name space that only lets them see what
you want them to see.

Another way of doing this might be the NetReg scheme that was written
up at USENIX (or LISA?) a while ago. This was to allow new students to
register themselves on a campus LAN without having to hassle the
computer centre. Unknown MAC addresses were assigned IP addresses and
a special DNS server by the DHCP server. The name server pointed them
at a registration web page and nowhere else.


More information about the bind-users mailing list