hello,
I have setup a DNS server on a machine. I want to capture the DNS replies before the machine sends out, and change some fields in it and then send the packet.
I am only able to change fields in the packet my pcap code(written in C) captures, which seems like a copy, as the original packet is also transmitted.
I tried iptables to drop packets originating from the machine, but it drops the pcap injected packets as well.
Is there any way out of this?
thank you
If you're looking for a pcap only solution, you're going to have to intercept the DNS request packet, examine it, and assemble the proper reply before the DNS server replies. That doesn't seem real reliable because if the DNS server has an entry cached it's likely to reply before your custom code to assemble a packet and send it out can finish.
The most reliable way to do this is to write a kernel module that is a netfilter hook. Netfilter hooks are able to examine a packet and influence the handling of it at several points before a packet leaves a machine. Hook it at the NF_IP_LOCAL_OUT level. You can then examine the outgoing packet and see if it is a DNS reply fitting your criteria. This next part I haven't done, but since you have direct access to the skb (socket buffer) as an input parameter to your custom hook function, you could modify the packet right there and return NF_ACCEPT to pass the response along to the client. If you needed to do some processing on the request itself, you could hook into NF_IP_LOCAL_IN instead and handle it any number of ways including passing it off to a userspace program.
There are many examples on Google for Linux kernel programming (search: Linux Kernel Module Programming) and also netfilter hook examples.