Selective DNS Spoofing

[Bob Steele]

This is the current configuration (almost).   During login I place a filter on
the user such that if they enter a foreign URL they are blocked and unable to
leave the building.  If a foreign host hits the page they are able to load it,
which in this case is desirable.  The problem is that this configuration doesn't
address the "un-aware" users.  Unless the user explicitly enters the web page's
URL in their browser, the page will never be loaded.  In an attempt to "aid"
these users, its desirable to send them to the correct page regardless of what
URL they enter and thereby educating them in the process.
Bob Steele


Lyle wrote:

> >From my view, you are going about it from the wrong angle.  Since the dialup
> users are part of a set pool of IP addresses, put access controls in your
> Internet routers.  In other words, don't let traffic from that subnet leave
> the building.  Then even if they get the web address of a foreign website,
> they cann't load it as the traffic would be blocked by the routers.
>
> Lyle
>
> -----Original Message-----
> From: Bob Steele [mailto:rsteele at 1stlink.net]
> Sent: Saturday, March 24, 2001 8:44 PM
> To: comp-protocols-dns-bind at moderators.isc.org
> Subject: Selective DNS Spoofing
>
> I have a unique problem that I suspect will require the modification of
> the BIND source to solve.  Basically I am providing a free dialup
> service using a portmaster 3.  This service allows a user to log into my
> network with a guest account and access a specific web page.   The
> portmaster correctly tells the users computer to use my primary and
> secondly DNS servers to resolve requests.  Because the free service
> limits the user to my network and web page, it is impossible for the
> user to hit any address other than those I allow.  While the user is
> able to enter the URL for my web page in his browser, it would be
> desirable to force the user to the web page regardless of the URL that
> he enters into his browser.  This could easily be done if the DNS
> servers returned the IP address of the free web page regardless of the
> URL the user enters.   However, things get complicated because not all
> users log in with the limited guest account.  Some users are allowed to
> surf without limitation, and hence the DNS servers are required to
> function normally for such users.  Fortunately some distinction between
> the users is present because the guest account users are assigned IP
> addresses from a separate and distinguishable pool.
>
> I believe the only way to build this functionality into the free dial
> service is to modify BIND in such a way that it determines which
> inquiries to process normally, and which inquiries to spoof.   Because
> the guest users have a distinguishable IP address there should not be a
> lot of overhead in determining which inquiries require modification.
>
> In an attempt to solve the above problem, I've delved deeply into the
> BIND source and found it very complex.  I quickly discovered that the
> DNS inquiries are handled through event handlers located in
> /src/lib/isc/eventlib.c.  It appears that the incoming event is
> retrieved by evGetNext() and handled by evDispatch().  However, I have
> not been able to locate the relevant code that is dispatched, or even
> which function evDispatch() is passing control to during a DNS inquiry.
>
> Has anyone had previous experience solving such a problem or know how to
> easily solve the above situation.  Secondly, could someone explain where
> and how the evDispatch() function is associating functions to specific
> requests.  Any help or ideas would greatly be appreciated.
>
> Bob Steele
> (303) 420-9953 - Voice
> email: rsteele at 1stlink.net