Selective DNS Spoofing

Brad Knowles brad.knowles at skynet.be
Mon Mar 26 02:32:50 UTC 2001


At 6:10 PM -0700 3/25/01, Bob Steele wrote:

>  I had thought about this but had dismissed it partially based upon reasons of
>  limited experience with BIND and an uncertainty if the portmaster 3 
>is capable
>  of assigning differing sets of name servers based upon the account classes.
>  If such a capability is present in the portmaster, then such a configuration
>  would be a good idea.

	It should certainly be capable of doing this, but I don't have 
any first-hand experience with it one way or the other -- Dial-up 
terminal servers, RADIUS, etc... are not areas where I have done much 
in the way of work.

	However, I do know that at least some terminal servers can 
certainly be configured to hand out different nameservers, default 
routers, etc... based on the RADIUS account information, because we 
had problems with this happening on certain mis-configured terminal 
servers causing problems of this sort with some of the customers we 
had at a previous employer.

>  Jim Reid has suggested that I use the views mechanism to resolve them to the
>  correct page.  This functionality is not present in the version of BIND that
>  I'm currently using.  Hence I'm upgrading BIND tonight and will try such.
>  Should my tests fail, then this would probably be the next course of action.

	Using views would certainly be another valid way to do it, and 
would require that you have fewer name server machines to maintain 
(unless you had multiple IP addresses assigned to the same server(s), 
and ran different configurations of BIND on each).

	Using views might be a bit more complex to get things set up, but 
it probably wouldn't be any more complex than setting up an internal 
root server and using wildcard records, or setting up two copies of 
BIND running on the same machine(s) with different configurations to 
serve the two sets of customers.  Using views would also give you 
better future flexibility, if you needed to add a third set of 
customers who got an even different set of answers from the two we've 
been talking about so far.

	Given my choice, I'd probably use views.  However, it would 
depend on the ability to be able to upgrade to BINDv9, and if that 
isn't feasible or you can't figure out how to make that work, then 
you'd have to try something else with BIND 8.

>  Out of curiosity, do you know if the PM3 is capable of user classes and
>  assignment of differing name servers?

	Sorry, I don't have any personal experience with Livingston 
equipment, at least not as an admin.
-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


More information about the bind-users mailing list