Munin, Keeper of LoreApr 24, 2017

DNS is dangerous knowledge to have.

Yes, it's a wonderful, amazing way to solve many problems.

Unfortunately, once you know how it works, you begin to realize how fragile the underpinnings for a lot of other things are.

Worse, once -other- people realize you know it, you get their well-meaning plans to do things that, yes, -can- work, but really oughtn't to see the light of day.

Show threadMunin, Keeper of LoreApr 24, 2017

No offense to the fellow who wrote this, but this?

https://github.com/aniruddhas/DNSrouter

This is one of those ideas that, well meaning though it is, really oughtn't to be implemented.

Please do not rewrite your routing tables based on DNS responses.

Show threadMunin, Keeper of LoreApr 24, 2017

[ A solution for the apparent problem this is intended to solve - routing different priority traffic to different gateways - would be to use a pair of SOCKS proxies; whitelist the traffic for the one on an internal resolver & dump the rest to the other; then have your routes send one proxy to one gateway and the other to the other.

This will keep your ops staff from screaming about randomly changing routes. ]

Show threadGeorge Furbish❎Apr 24, 2017
@munin So my understanding is they're trying to route traffic differently depending on who you are and what domain you're trying to get to. Like they're trying to reroute certain people's traffic to certain websites to a different WAN gateway or a local mirror or something?
Show threadMunin, Keeper of LoreApr 24, 2017
@geofurb Not certain people's - certain destination traffic, across the whole org, near as I can tell.
Show threadGeorge Furbish❎Apr 24, 2017
@munin Ahhhgotcha. This would be a lot easier if this guy had commented his code. So they're taking certain websites and passing them to an alternate gateway. What's wrong with doing this by DNS? You're suggesting a SOCKS proxy, but wouldn't that have to be set up on each client?
Show threadMunin, Keeper of LoreApr 24, 2017

@geofurb Nah, you just have a single configuration, and pass the requests between the two proxies depending on whether it's in the good group or the other group.

One of the many reasons not to do this his way is that you can screw up your routes -hard- very quickly if you try to do clever dynamic routing like this.

[There are also security problems, but the basic usability one should suffice in most cases]

Show threadGeorge Furbish❎Apr 24, 2017

@munin I don't understand the first part of your message, you're gonna have to use more words and be more specific.

What does it mean to screw up your routes? Hard?

Show threadMunin, Keeper of LoreApr 24, 2017

@geofurb What happens when you get a race condition on DNS-initiated routing changes?

I don't know, but it's not going to result in a usable network configuration.

Show threadMunin, Keeper of Lore

@geofurb

Let's say I hit refresh on worksite.work and playsite.play at the same time. Both DNS requests go out, but the order they come back in is indeterminate - so the order in which the routing changes show up will differ. Now how long does it take for the ipconfig changes to propagate? How many TCP sessions are affected by this?

What happens when you try to apply multiple iptables configs at the same time? :-/

Apr 24, 2017 at 7:43amWeb