AW: Dns doctoring/dnsmasq -V on bind?

someone someone at
Mon Jan 17 14:30:34 UTC 2011

Running internal stuff over nat and the firewall is bad practice and should
be avoided as it uselessly loads the firewall, increases the complexity of
the rules and creates bottlenecks on a fast network backbone.

You might be correct for home systems where running over your firewall and
NAT for every internal request increases the hopcount by one at max.

But if you have like a building with 1200 people using 1 Gbit+ network and
you have to route them to your 100 Mbit firewall for all internal requests,
it would just generate useless traffic on many, many devices, slowing down
the backbone...

I know ist pretty dumb to say that on a dns mailinglist, but in comparison
to significantly slowing down the network i could not care less about
Also broken dnssec may never lead to clients not resolving the name without
asking the user first. 
"Oh well, the cache is poisioned, lets just not resolve the name and dont
give the user the possibility to use this (might valid) resolved addr" ...
nice denial of service scenario ;)

And users getting a warning when accessing the internal pages... They would
learn to accept that.

iptables -t nat -A PREROUTING -d -j DNAT --to -i
Where eth1 = wan.
You do *not* want "anyone <-> anywhere" scenarios - that is the first step
to having an insecure network ;)

So again the question is: is there a way to do dns doctoring with bind only?


-----Ursprüngliche Nachricht-----
Von: at
[ at] Im Auftrag von
Phil Mayers
Gesendet: Montag, 17. Januar 2011 12:17
An: bind-users at
Betreff: Re: Dns doctoring/dnsmasq -V on bind?

On 17/01/11 00:23, someone wrote:
> If you have any ideas how to do dns doctoring with bind9 (or 
> netfilter) please give me some hints ;)

Have you considered that this will break DNSSEC, and as time goes by, may
not work at all (if clients become full validating DNSSEC resolvers)?

I'm a little curious why you don't leave the DNS responses unchanges, and
instead NAT the actual IP traffic, which would surely have the same effect

iptables -t nat -A PREROUTING -d -j DNAT --to
bind-users mailing list
bind-users at

More information about the bind-users mailing list