Wednesday, May 9, 2012

Round Robin DNS redirect in OpenBSD

Redirect all dns requests to a pool of trusted DNS servers (in this case OpenDNS)

Configuration in /etc/pf.conf

dns_servers = "{ 208.67.222.222 208.67.220.220 }"
pass in quick on $inside_if proto udp from <allowed> to any port 53 rdr-to $dns_servers round-robin 

You might also want to add sticky-address to keep asking to one dns server [1] (not my case)

The result when analyzing on the internal interface

# tcpdump -ni rtw0 'port 53 and host ( 8.8.8.8 )'
17:44:46.295443 192.168.127.36.37796 > 8.8.8.8.53: 22244+ A? toneji.to. (31)
17:44:46.384365 8.8.8.8.53 > 192.168.127.36.37796: 22244 1/0/0 A 67.215.65.132 (47)

The result when analyzing on the external interface

# tcpdump -ni xl0 'port 53 and host ( 208.67.220.220 or 208.67.222.222 )'
17:44:46.295561 10.0.2.2.59847 > 208.67.220.220.53: 22244+ A? toneji.to. (31)
17:44:46.384302 208.67.220.220.53 > 10.0.2.2.59847: 22244 1/0/0 A 67.215.65.132 (47) (DF)

This means that *any* DNS request will be forwarded to our trusted DNS servers (Thanks OpenDNS)

References:

[1]  http://www.openbsd.org/faq/pf/pools.html

--
  = ^ . ^ =

No comments:

Post a Comment