linux - Dnsmasq not receiving response after TPROXY intercept -
i developing 'monitor traffic' kind of application on router, use tproxy feature intercept dns packet & send application server listening on port. after processing, forward packet actual destination (i.e., dnsmasq) after modifying ttl.
jfyi, firewall rule tproxy forward dns response packets application server listening on port 2345 looks this:
iptables -t mangle -a prerouting -i <wan-interface> -p udp --sport 53 -j tproxy --tproxy-mark 0x3 --on-port 2345 at application server, without error checks:
sock_fd = socket(af_inet, sock_dgram, 0 ); setsockopt(socket_fd, sol_ip, ip_pktinfo, &enabled, sizeof(int)); setsockopt(socket_fd, sol_ip, ip_transparent, &enabled, sizeof(int)); setsockopt(socket_fd, sol_ip, ip_recvorigdstaddr, &enabled, sizeof(int)); setsockopt(socket_fd, sol_socket, so_reuseaddr, &enabled, sizeof(int)); /* client_addr points source ip (i.e. upstream dns server's ip) */ bind(sock_fd, (const struct sockaddr *)client_addr, sizeof(struct sockaddr)); /* dst_addr points router ip on wan interface */ sendto(sock_fd, dns_packet_buffer, data_len, 0, (const struct sockaddr *)dst_addr, sizeof(struct sockaddr)); this sendto succeeds, i.e., no error!!! but, dnsmasq not receive data! more precise, fd on dnsmasq waiting data not become "ready."
at dnsmasq code, inside check_dns_listeners
for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) if (fd_isset(serverfdp->fd, set)) reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now); the fd_isset() returns false. if not intercept dns response flow fd_isset() returns true. missing here?
finally found answer!! lemme put here suppose helpful else.
as had mentioned earlier, application running on router. router manufacturers had modified existing dnsmasq code add additional option limit interface on listen upstream server! in other words, accept responses upstream server via given interface (like eth2). code perspective, don't listen on other interfaces other eth2! since response coming via 'lo' weren't listening!! :)
i restarted dnsmasq without option , viola works! :)
i wish had documented on public forum! generic googling works , not reading through 1000s lines of code!!
Comments
Post a Comment