(转)DNS-劫持配置
很多电信DNS都实现了DNS-劫持,当用户输入的域名不存在时,自动转到设定好的IP
切勿用于非法用途,由于需要硬件F5支持,以下内容未经本人测试
文章来源 http://bbs2.chinaunix.net/thread-1520811-1-1.html
前提:
1、有F5 LTM
2、DNS负载并不是很高或者F5性能很好比如V10平台
原理:
DNS用于响应的报文由12字节长的首部和4个长度可变的字段组成。其中从第28位开始的4位的标志字段的子字段为rcode为返回码字段,通常的值为0(没有差错)和3(名字差错),名字差错从一个授权的名字服务器上返回,表示在查询中指定的域名不存在。
因此把rcode字段返回的值变更为指定的字符串,就可以完成nxdomain redirect的要求
iRules 是基于事件的策略,以流行的 TCL 脚本语言为基础,可帮助用户充分利用 F5 解决方案的强大能力和灵活性,进而从应用交付网络中获取最大利益(实际上就是拆包重组的过程中加入控制)
分析和脚本:(参看后文和附件),另外该脚本的作者明确说了,这种做法是违反rfc的,而且会影响antispam的blacklist技术的使用,也许还会影响对域名的判断情况,应该慎重使用。
脚本测试没有问题,在f5部署上,需要在vs中首先应用udp类型的profile,然后将该irules加入指定的vs就ok了
脚本内容:
DNS_no_more_non_existent_domain
.
Contributed by: Yang MingFei (James Yang)
Modified by: Nat
Description
With this rules, BIGIP can convert a “non-exist domain” DNS query result to a “normal” response to client. That will help if client type the wrong domain name (ie. if a client types “wwww.f5.com” for www.f5.com, when the request send to a load balanced DNS cache server, it will return an error message of non-exist domain (NXDOMAIN), then the plugin of browser will redirect it to an search engine or other site. After apply this rules to the BIGIP that load balances the DNS cache servers, BIGIP will replace the Cache DNS’s error message and turn it to a specified IP address like “wwww.f5.com=200.100.4.10″ in the sample rule. That the 200.100.4.10 may be portal of the service provider. Or a friendly error page that indicate the type error.
NoteRewriting non-existent domain DNS responses can introduce serious security issues for any domain which is resolved in such a manner. It may also break SPAM blacklisting. For more information, see http://www.wired.com/threatlevel/2008/04/isps-error-page/
iRule Source
when RULE_INIT {
set ::my_address {200 100 4 10}
#Addr: 200.100.4.10, you can modify your own IP address here
set ::header_without_id [binary format S5 {0x8180 0x0001 0x0001 0x0000 0x0000}]
#predefined fixed header
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | ID |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# |QR| Opcode |AA|TC|RD|RA| Z | RCODE |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | QDCOUNT |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | ANCOUNT |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | NSCOUNT |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | ARCOUNT |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
#
#opcode = QUERY, rcode = NOERROR
#header flags: response, auth. answer, want recursion, recursion avail.
#questions = 1, answers = 1, authority records = 0, additional = 0
set ::answerpart [binary format S6c4 {0xC00C 0x0001 0x0001 0x0000 0x0D1B 0x0004} $::my_address]
#predefined Fixed Answer section
#Name: same as qestion
#Type: Host address
#Class: INET
#Time to live: 55 minutes, 55seconds
#Data length: 4
#IPv4 Addr: xxx.xxx.xxx.xxx
#Data Structure
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | Name |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | Answer Type |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | Class |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | Time to live part 1 |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | Time to live part 2 |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | IP Address part 1 |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
# | IP Address part 2 |
# +–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+–+
}
when SERVER_DATA {
#check rcode
binary scan [UDP::payload] @2S sflags
set rcode [expr $sflags & 0x000f]
#rcode = 3 Name Error (domain name referenced in the query does not exist.
if {$rcode == 3 }{
# skip the DNS header, jump to the QNAME part of first QUESTION
# byte contains the first part length
binary scan [UDP::payload] @12c foo
# make the byte an unsigned integer
set byte [expr ($foo+0x100)%0x100]
# initialize our posisition in the QNAME parsing and the text QNAME
set offset 12
# $i is a sanity check so this logic won’t spin on invalid QNAMEs
set i 0
############# /extract QNAME from QUESTION header #############
while {$byte > 0 && $i < 10} {
# grab a part and put it in our text QNAME section
set offset [expr $offset + $byte + 1]
# grab the length of the next part, and make it an unsigned integer
binary scan [UDP::payload] @${offset}c foo
set byte [expr ($foo+0x100)%0x100 ]
incr i
}
# increment offset past the final part so it points at the QTYPE field
incr offset
############# extract QTYPE from QUESTION header #############
# grab the next 2 bytes that represent the QTYPE
binary scan [UDP::payload] @${offset}S qtype
# see if the QTYPE is 0×0001 (TYPE_AAAA), if it’s a A query, then replace the content
if {$qtype == 0×0001} {
#Pack the respond packet
#keep original query id
#replace header with predefined header without id (answer part and remove NS/AR part
#replace the rest of packet after query section with predefined answer section
UDP::payload replace 2 10 $::header_without_id
incr offset 4
UDP::payload replace $offset [expr [UDP::payload length] – $offset ] $::answerpart
}
}
}
下载:F5-DNS-劫持配置
八月 22nd, 2009 at 20:33
good
十二月 16th, 2009 at 16:59
进来学习了,正在弄这个,但是还不敢贸然动手!!
三月 30th, 2011 at 23:38
casino en ligne…
[...]here are some links to some sites that we think you should visit[...]… casino en ligne paypal…
五月 12th, 2011 at 17:54
casino en ligne…
[...]we like to honor other sites on the web, even if they aren’t related to us, by linking to them. Below are some sites worth checking out[...]… casino en ligne autorisé en france…
五月 14th, 2011 at 12:14
Bedroom sets…
[...]here are some links to sites that we link to because we think they are worth visiting[...]…
六月 22nd, 2011 at 03:41
Links for the day!…
Good day everybody. I Just Came through this informative site i would like to share it with you guys….
七月 26th, 2011 at 10:01
You should check this out……
[...] Wonderful story, reckoned we could combine a few unrelated data, nevertheless really worth taking a look, whoa did one learn about Mid East has got more problerms as well [...]………
八月 22nd, 2011 at 02:59
Visitor recommendations trackback……
[...]one of our visitors recently recommended the following website[...]………