Solved

Is there a Local transparent dns proxy application ?

Posted on 2014-03-27
10
1,042 Views
Last Modified: 2014-05-08
I'm not expert in Networking but i have some knowledge.

I have a question about local dns applications like DNSChef and Acrylic which are local DNS proxies used for caching dns records,

Is it possible to develop similar application that runs without setting 127.0.0.1 in my network configurations, the goal of this proxy is intercepting all Windows dns requests and forward them to a specific dns server and also intercept the response and read it.

i read about transparent dns proxies which are implemented in ISP Level not local.
0
Comment
Question by:DeepZo
  • 4
  • 4
  • 2
10 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39960741
Please clarify what you mean.

127.0.0.1 is a local loopback and does not need to be set.
I believe what you are talking about when using DNSchef or Acrylic,
you need to alter the DNS records from the IP settings to point to 127.0.0.1 other wise the DNS resolution requests go to the wrong DNS servers.

The issue you are trying to address is in no way related to DNSchef nor is it with Acrylic or any other DNS proxy application.

It seems what you are asking is for a way to override all other applications to send their DNS requests to the 127.0.0.1 where you have DNSchef or Acrylic running versus the Name server records defined on the system.

If you are the admin of a network, you can through DHCP configure the clients to direct their DNS requests to your configured DNS server that can be running any DNS applicaiton you choose.

If you want to write an application that presumes that there is a local DNS running, you of course can hard code it into the DNS portion of your application code versus relying on established/existing API interfaces to said tools.
Learn the DNS protocol, then use sockets to establish a connection to a local port 53, if it exists, create the requisite data packet to transmit the initial request, once you receive a response, cycle through until you get the answer you need, passing it on to your application.
0
 
LVL 61

Expert Comment

by:btan
ID: 39960751
Agree that coding it locally into the app code is the safest mean if you really want it to loop with the machine. There is mentioned of technet to explicit configure loopback in the NIC card

Configure adapter settings to add the loopback IP address to the list of DNS servers on all active interfaces, but not as the first server in the list.
Configure network adapters on this DNS server to use the loopback address (127.0.0.1, 0:0:0:0:0:0:0:1, or ::1) as one of the DNS servers, but not as the first DNS server on the list. If the loopback address is configured as the first DNS server, then configure another DNS server first.
0
 
LVL 76

Expert Comment

by:arnold
ID: 39960762
I think the asker is actually looking to install DNSchef or acrylic and have it "divert any and all requests on port 53" to this application without making any changes.

you could look at the ip security policy MMC's to see whether you can set a policy that deals with diverting requests on port 53 to any external resource with the exception of dnschef/acrylic to localhost:53,
The difficulty with network based diversion is how will policy distinguish a request from application1 versus dnschef.
0
 
LVL 61

Expert Comment

by:btan
ID: 39961346
noted, straight off changing host file will be the most direct but as mentioned is to achieve w/o changing existing machine configuration as much as possible. Then it is likely running a fake dns server as like the dnschef. Acrylic, if I am not wrong has it own host file and you need to set Preferred DNS Server -> 127.0.0.1

Ideally these appl w/o installation are supposed to respond to all DNS queries with the specified IP address, logging the details of the received requests and transmitted responses. But that does not always works as these appl or tool attempts to automatically configure your local system to use localhost as the DNS server. Hence final resort (or be prepared) to still manually modify your DNS settings for localhost to work reliably as you will want it.

Unless it is a service developed to touches the kernel level or hardcoded into the appl to use localhost, external type of "fakedns" to work reliably still need to touch machine DNS settings..Also we must note that the use of DNS Proxy is recommended in situations where it is not possible to force an application to use some other proxy server directly.
0
 

Author Comment

by:DeepZo
ID: 39962060
As arnold said
I think the asker is actually looking to install DNSchef or acrylic and have it "divert any and all requests on port 53" to this application without making any changes.

That's what i need and its not important to use DNSChef or Acrylic, i mentioned them as example.

So, the question again is:

I need an application that divert all requests on port 53 and forward them to a specific dns ip, at the same time this application should read all responses.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Expert Comment

by:arnold
ID: 39962083
The only means by which this can be done is for the application to insert itself within the network interface and kernel, the short answer is that there is no such application that you can customize.  

short of using netsh, vbscript, powershell scripts to remove existing while adding another name server which requires that the person under whose credentials the script runs has the requisite rights to make such a change, it is not possible on a computer by computer basis.  You of course can achieve this on the outside firewall where you can configure the firewall to reroute any outgoing port 53 requests with the exception of the system with your preferred DNS service to this preferred DNS server.
0
 

Author Comment

by:DeepZo
ID: 39962446
So how software firewalls can control outbound and inbound traffice!
0
 
LVL 76

Expert Comment

by:arnold
ID: 39962650
they are placed in the kernel closest to the interface.

and have required hooks into the kernel/device layer.

You are looking for an Application to overwrite kernel and other applications settings.
Effectively you are trying to find an application that can "hijack" the local traffic on the computer.
0
 
LVL 61

Expert Comment

by:btan
ID: 39962972
as i have mentioned, to do the diversion, you need to be at the kernel to layer on the tcp stack and firewalll and AV does that, even wireshark. another possibility is dnsspoof

https://code.google.com/p/libcrafter/wiki/DNSSpoofing

The following program does several things,

First we define the IP addresses of the DNS server (if the server is not on the LAN, it must be the address of the router) and the victim along with the keywords for DNS poisoning (contained in the spoof_list STL map: "google" and "proxy") and the false IP associated to each one of them.

Second, we perform and ARP Posion attack and spawn a sniffer listening to UDP traffic with a port equal to 53 (default for DNS). At this point, all traffic from the victim should be going through our machine. Therefore, IP forwarding is activated and we use IPTABLES to block all the UDP traffic with a source or destination port equal to 53.
In other words, all data going back and forth between the DNS server (192.168.1.1) and the victim (192.168.1.8) will be redirected correctly (through our kernel) except for the DNS traffic. The sniffer is responsible for processing them (through the DNSSpoofer function).

NOTE: Remember that libcrafter doesn't mind about local firewall rules. The sniffer will catch the DNS traffic even though the kernel is not processing/forwarding it.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39962989
Actually there is another means w/o really going into kernel is injecting to a targeted process such as this example on dnshijack, hooking at the application dns lookup call and change it when thte response comes back from the system...quite "unorthodox"

DnsHijack works by injecting a DLL into the Firefox process and hooking the gethostbyname function using the Detours library available from Microsoft Research. gethostbyname is the Winsock function that will be called by Firefox when it needs to perform a DNS lookup.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now