| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:dpi_options:dns_substitution [2025/07/24 13:02] – elena.krasnobryzh | en:dpi:dpi_options:dns_substitution [2025/08/13 10:55] (current) – elena.krasnobryzh |
|---|
| {{tag>Services "Service 19" "DNS Spoofing" "DNS Response Substitution"}} | {{tag>Services "Service 19" "DNS Spoofing"}} |
| {{indexmenu_n>16}} | {{indexmenu_n>16}} |
| ======DNS Response Spoofing====== | ======DNS Query Processing and DNS Response Spoofing====== |
| =====Purpose===== | =====Purpose===== |
| The DNS response spoofing service allows modifying IP addresses returned by the DNS server for specific domain names. This enables overriding IP addresses in server responses for certain types of DNS queries specified in the service configuration.\\ | The DNS response spoofing service allows modifying IP addresses returned by the DNS server for specific domain names. This enables influencing DNS server responses by redefining IP addresses in server responses for certain types of DNS queries specified in the service settings.\\ |
| This service is effective for controlling client DNS requests and redirecting them to alternative IP addresses. It is used to balance traffic to certain resources between different servers based on IP address. | This service is effective for controlling client DNS queries and redirecting them to alternative IP addresses. It is used for load balancing traffic of specific resources between different servers based on IP address. \\ [[en:dpi:dpi_options:opt_li:li_ipfix#configuring_the_export_of_dns_responses_or_dns_queries|Description of DNS query and response export configuration]]. |
| |
| ====Service Operation Scheme==== | ====Service Operation Scheme==== |
| - The client makes a specific type of query to the DNS server (e.g., type A). | - The client makes a specific type of query to the DNS server (e.g., type A). |
| - DPI sees the query and checks if the spoofing service is assigned for this client (IP source) for a specific resource. If blocking is configured for that query type, DPI simply drops the DNS query with that specific record type. | - DPI analyzes all DNS queries and checks whether the spoofing service is assigned for this client (source IP) for a specific resource. If blocking is configured for this query, DPI simply drops the DNS query with the specific record type. |
| - If the service is assigned, DPI drops the original client DNS query and generates a DNS server response based on the rules specified in the service. | - If the service is assigned, DPI drops the client's original DNS query and forms a DNS server response according to the rules specified in the service. |
| - DPI forwards the modified response to the client. The client is unaware of the modification and treats the response as legitimate. | - DPI redirects the modified response to the client. The client doesn't notice the modification and considers the response legitimate. |
| |
| Supported DNS record types: | Supported DNS record types: |
| * ''A'' — IPv4 address (length — 32 bits); | * ''A'' — IPv4 address (32-bit length); |
| * ''AAAA'' — IPv6 address (length — 128 bits); | * ''AAAA'' — IPv6 address (128-bit length); |
| * ''MX'' — txt-record containing information about mail servers handling mail. | * ''HTTPS'' — this record type is designed to provide information about available services operating over HTTPS. It allows specifying alternative endpoints, HTTP/3 support, ClientHello encryption, and non-standard TCP/UDP ports; |
| | * ''MX'' — a TXT record containing information about mail servers handling email. |
| |
| Possible actions for DNS queries: | Possible actions with DNS queries: |
| * ''ya.ru HTTPS #drop'' — DPI drops the DNS query with HTTPS record type | * ''ya.ru HTTPS #drop'' — DPI drops the DNS query with HTTPS record type |
| * ''ya.ru A #nxdomain'' — DPI sends a response indicating the domain does not exist | * ''ya.ru HTTPS #nxdomain'' — DPI responds that the domain doesn't exist for the DNS query with HTTPS record type |
| * ''mail.ru MX smtp.googlemail.com'' — in this case, for a query to mail.ru with ''MX'' type, the response should indicate that mail.ru has a mail server at smtp.googlemail.com with a ''preference'' of 10. | * ''ya.ru A #nxdomain'' — DPI sends a response about the non-existence of the domain with A record type |
| | * ''mail.ru MX smtp.googlemail.com'' — in this case, for a mail.ru query with ''MX'' type, the response should indicate that the mail.ru domain has a mail server at smtp.googlemail.com with a ''preference'' of 10. |
| =====Configuration===== | =====Configuration===== |
| - Create a text file and add DNS spoofing rules specifying the domain name, DNS record type, and IP address to be returned for that domain. Wildcard domains with * are supported. <code bash>vi test.txt | - Create a text file and add DNS query processing rules, specifying: domain name, DNS record type, either an action or IP address, or domain for MX record type that will be included in the response for this domain. Wildcard ''*'' is supported for domains. <code bash>vi test.txt |
| google.com A 192.0.2.1 | google.com A 192.0.2.1 |
| test.ru A #nxdomain | test.ru A #nxdomain |
| mail.ru MX smtp.googlemail.com | mail.ru MX smtp.googlemail.com |
| </code> | </code> |
| - Convert the text file to binary format using the ''dns2dic'' utility, which is readable by DPI:<code bash>cat test.txt|dns2dic test.bin</code> | - Convert the text file to a binary format understandable by DPI using the ''dns2dic'' utility:<code bash>cat test.txt|dns2dic test.bin</code> |
| - Place the resulting binary file in the directory where DPI will read it from:<code bash>cp test.bin /var/lib/dpi/dns.bin</code> | - Place the resulting binary file in the directory where DPI will read it from:<code bash>cp test.bin /var/lib/dpi/dns.bin</code> |
| - Create a service profile:<code bash>fdpi_ctrl load profile --service 19 --profile.name test_193 --profile.json '{ "dns_list" : "/var/lib/dpi/dns.bin" }'</code> | - Create a service profile:<code bash>fdpi_ctrl load profile --service 19 --profile.name test_193 --profile.json '{ "dns_list" : "/var/lib/dpi/dns.bin" }'</code> |
| ''max_profiles_serv19'' — setting for the maximum number of profiles. Default is 32. | ''max_profiles_serv19'' — setting for the maximum number of profiles. Default is 32. |
| |
| <note tip>By default, the DNS response is sent to the interface from which the query originated (IN interface where the query came from). Sending to the OUT interface is relevant in DPI's asymmetric mode (outbound traffic only). Configurable in ''fastdpi.conf'' with the parameter ''emit_direction=2''</note> | <note tip>By default, the DNS response is sent to the interface from which the query originated (IN interface where the client query was received). Sending to the OUT interface is relevant for asymmetric DPI operation mode (only on outgoing traffic). Configured in ''fastdpi.conf'' with the ''emit_direction=2'' parameter</note> |
| |
| =====Management===== | =====Management===== |
| <code bash>fdpi_ctrl [command] --service 19 [options list] [login or vchannel]</code> | <code bash>fdpi_ctrl [command] --service 19 [options list] [login or vchannel]</code> |
| |
| Enable the service: | Enable service: |
| <code bash>fdpi_ctrl load --service 19 --profile.name test_193 --login test | <code bash>fdpi_ctrl load --service 19 --profile.name test_193 --login test |
| #or | #or |
| fdpi_ctrl load --service 19 --profile.name test_193 --vchannel 1</code> | fdpi_ctrl load --service 19 --profile.name test_193 --vchannel 1</code> |
| |
| Disable the service: | Disable service: |
| <code bash>fdpi_ctrl del --service 19 --profile.name test_193 --login test | <code bash>fdpi_ctrl del --service 19 --profile.name test_193 --login test |
| #or | #or |
| fdpi_ctrl del --service 19 --profile.name test_193 --vchannel 1</code> | fdpi_ctrl del --service 19 --profile.name test_193 --vchannel 1</code> |
| |
