DNS Lying to Linux Clients ?

Jonathan de Boyne Pollard J.deBoynePollard at tesco.net
Mon Aug 18 13:35:38 UTC 2003


BE> Is it possible to use DNS Lying with Linux clients ?

Yes.  It's not wise though - partly because it's very easy to misconfigure it
thinking that it does something that it actually does not; and partly because
it affects _all_ services, not just HTTP.  

The DNS is not The World Wide Web.

BE> DNS Lying is when a DNS server [...]

DNS Lying is a rather foolishly designed feature of DNS Commander.  (This
forum is for discussing ISC's BIND, by the way, not for discussing Incognito's
DNS Commander.)  

One of the foolish aspects of the design of DNS Commander's DNS Lying
"feature" is that it allows a DNS administrator to configure it such that it
sends an answer back in a response that is wholly unrelated to the question
that was actually asked.  For example, a DNS Commander instance could be
configured to send a response that contained:

	Question: www.google.com. IN A
	Answer: bob.elliot.person. IN A 86400 192.168.1.1

The DNS Commander documentation encourages DNS administrators to believe that
this is answering the question with a "lie" that points the DNS Client making
the query to a different domain name.  But it is not.  DNS Clients will look
for resource record sets in the response that match the owner domain name and
type of the question that they want the answer to.  As you have discovered,
DNS Clients correctly take the above to be an answer containing an empty "A"
resource record set for "www.google.com." (It's what section 2.2 of RFC 2308
lists as a type 3 response.), and so treat that domain name as having no
associated IP addresses.  The "A" resource record for "bob.elliot.person." is
just so much irrelevant chaff that is ignored by DNS Clients.

It's worth noting that the examples in the DNS Commander documentation
carefully avoid using anything other than the magic "?" directive in the
"answ-RR-name" field of a "lie", and so carefully avoid this whole area where
its DNS Lying "feature" doesn't actually do what DNS administrators are misled
to believe it does.

BE> Is there any work around on the DNS server side ?

Yes.  Don't use DNS Commander's foolish DNS Lying feature.

And don't use DNS as the tool for addressing HTTP service or IP routing
issues.  If you really want to forcibly intercept all HTTP traffic (as
opprobrious a goal as that actually is), use an interception proxy HTTP
server.  If you really want to re-route all IP traffic, use routing rules.


More information about the bind-users mailing list