No subject

users are part of a set pool of IP addresses, put access controls in your
Internet routers.  In other words, don't let traffic from that subnet leave
the building.  Then even if they get the web address of a foreign website,
they cann't load it as the traffic would be blocked by the routers.

Lyle

-----Original Message-----
From: Bob Steele [mailto:rsteele at 1stlink.net]
Sent: Saturday, March 24, 2001 8:44 PM
To: comp-protocols-dns-bind at moderators.isc.org
Subject: Selective DNS Spoofing



I have a unique problem that I suspect will require the modification of
the BIND source to solve.  Basically I am providing a free dialup
service using a portmaster 3.  This service allows a user to log into my
network with a guest account and access a specific web page.   The
portmaster correctly tells the users computer to use my primary and
secondly DNS servers to resolve requests.  Because the free service
limits the user to my network and web page, it is impossible for the
user to hit any address other than those I allow.  While the user is
able to enter the URL for my web page in his browser, it would be
desirable to force the user to the web page regardless of the URL that
he enters into his browser.  This could easily be done if the DNS
servers returned the IP address of the free web page regardless of the
URL the user enters.   However, things get complicated because not all
users log in with the limited guest account.  Some users are allowed to
surf without limitation, and hence the DNS servers are required to
function normally for such users.  Fortunately some distinction between
the users is present because the guest account users are assigned IP
addresses from a separate and distinguishable pool.

I believe the only way to build this functionality into the free dial
service is to modify BIND in such a way that it determines which
inquiries to process normally, and which inquiries to spoof.   Because
the guest users have a distinguishable IP address there should not be a
lot of overhead in determining which inquiries require modification.

In an attempt to solve the above problem, I've delved deeply into the
BIND source and found it very complex.  I quickly discovered that the
DNS inquiries are handled through event handlers located in
/src/lib/isc/eventlib.c.  It appears that the incoming event is
retrieved by evGetNext() and handled by evDispatch().  However, I have
not been able to locate the relevant code that is dispatched, or even
which function evDispatch() is passing control to during a DNS inquiry.

Has anyone had previous experience solving such a problem or know how to
easily solve the above situation.  Secondly, could someone explain where
and how the evDispatch() function is associating functions to specific
requests.  Any help or ideas would greatly be appreciated.

Bob Steele
(303) 420-9953 - Voice
email: rsteele at 1stlink.net