Sunday, September 25, 2016

DNS: Resolve different IP depending on source ip address

we can do geo-Location based traffic management by using dns to resolve ip address differently, base on the source ip address that the client request.

The following setup is simple by using only iptables and linux containner

1- diagram

client1 -->                                     | container1 (dns1) (10.0.3.32)
                      server(iptables rule) (192.168.202.1)
client2  -->                                     | container2 (dns2) (10.0.3.212)

*** note
the container1 and container2 reside in the server(iptables rule)


2- install linux container lxc
$ sudo apt-get install lxc

3- create a ubuntu xenial container
$ lxc-create -n ubuntudns1 -t ubuntu -- --release xenial --mirror http://us.archive.ubuntu.com/ubuntu --security-mirror http://security.ubuntu.com/ubuntu

4- start our newly created container, ubuntudns1 with the following command
$ lxc-start -d -n ubuntudns1

5- to access the ubuntudns1, we access via console or ssh
- console
$ sudo lxc-console -n ubuntudns1

- ssh, we have to lookup ip address first withe lxc-attach, then we can use the ip address to ssh to it
$ lxc-attach -n ubuntudns2 -- ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:18:1b:03 
          inet addr:10.0.3.212  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe18:1b03/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2992 (2.9 KB)  TX bytes:1262 (1.2 KB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:280 (280.0 B)  TX bytes:280 (280.0 B)

6- setup dns server on ubuntudns1, we can use bind9, or other software, but the following i will use dnsmasq, because it is simpler and quicker
$ sudo apt-get install dnsmasq

- append the following lines at the end of file  /etc/dnsmasq.conf
address=/test.domain/192.168.202.1
address=/www.test.domain/192.168.202.1
cname=a.test.domain,www.test.domain
cname=mail.test.domain,www.test.domain
mx-host=test.domain,mail.test.domain,50
resolv-file=/etc/resolv.dnsmasq.conf

7- now restart dnsmasq and we finish the setup on the dns1
$ sudo killall dnsmasq
$ sudo dnsmasq

8- for dns2 we can follow the step 3 to 7 and change ip address of the domain in the dnsmasq configuration file or we can clone ubuntudns1 like below
$ sudo lxc-clone ubuntudns1 ubuntudns2

- then update teh dnsmasq configuration as below
address=/test.domain/192.168.202.25
address=/www.test.domain/192.168.202.25
cname=a.test.domain,www.test.domain
cname=mail.test.domain,www.test.domain
mx-host=test.domain,mail.test.domain,50
resolv-file=/etc/resolv.dnsmasq.conf

9- now we've done setup the dns1 and dns2, so we now implement the iptables rules like below
$ sudo iptables -t nat -A PREROUTING -s 192.168.56.0/24  -p tcp --dport 53 -j DNAT --to-destination 10.0.3.32:53
$ sudo iptables -t nat -A PREROUTING -s 192.168.202.0/24  -p tcp --dport 53 -j DNAT --to-destination 10.0.3.212:53

10- finally the client with subnet 192.168.56.0/24  will resolve with dns1 and subnet 192.168.202.0/24 will resolve with dns2

-snapshot of two different clients on different subnets, lookup domain test.domain on the same nameserver 192.68.202.1, get different results


No comments:

Post a Comment