Slashdot Mirror
Selective DNS Caching/Forwarding
MaestroRC asks: "I've been looking around online, and I have found several people wanting to do the same thing, but no one seems to have figured it out yet. What I am wanting to do (and before you go further, understand this is for work, i.e.: no innocent people will be harmed in the implementation) is to set up a name server that selectively forwards queries. For example, I would like to create a list of acceptable domains (less than 20) using wildcards such as *.google.com, that the name server will forward a query on to and reply to normally. For anything not in the list, I want it to reply NXDOMAIN or some such.
I've looked at BIND, and there doesn't appear to be a way to do what I'm wanting; it can either have recursion on or off, and any specific zones of type forward still do not forward if it is off. The solution doesn't have to be pretty, and it can just be a simple DNS proxy, but I'm not adept at coding, so it needs to be installable by a regular sysadmin on Linux. Has anyone heard of something like this?"
It won't work for the simple reason that you need dns glue, and you can't control where the glue will come from.
I'm not a Linux person, but I know a way you could do this with Windows Server 2003 DNS Server...
It has an option called "conditional forwarding" where you can forward anything ending with "example.com" to the DNS server x.x.x.x - just set up the DNS server and then set conditional forwarding of the domains you want to allow to a real DNS server.
We use this for setting up trusts between separate Active Directories but it could conceivably be used for this purpose as well.
"I want to get more into theory, because everything works in theory." -John Cash
I think you could do that easily with D.J.Bernstein's djbdns. Install dnscache and just remove root/servers/@ (or point it to a non-existent address) and configure the root/servers/DOMAINS you need. Of course, you'll have to track by hand changes on the IP addressess of those servers, but they shouldn't really change a lot that often.
Many applications use various routines within the C library on a system to resolve hostnames.
I don't know how glibc handles it, but on FreeBSD one could hack the res_*() and dn_*() functions to add the functionality you require.
Why not just use packet filtering to drop DNS packets from your DNS caching server that do not contain the whitelisted domains in their payload? Your DNS caching daemon would just temporarily fail.
I stumbled upon this link you may be able to pull the electronic version of the book from somewhere... I don't know if this helps.
That which does not kill me only postpones the inevitable.
I tried to do something similar to this once. In BIND, you can define a zone called "." In there, add a record "* IN A 127.0.0.1" (this isn't really NXDOMAIN, but it does prevent people from getting places :)). Then create forward zones for each domain you want to resolve properly.
... then it'll probably suffice.
There are [at least] 2 problems with this. 1) You have to keep the forwarders up to date for the zones you list. 2) If google decides to make www.google.com a CNAME for www.google.akamai.net (OK, Google probably wouldn't do this, but Apple, Microsoft, etc do) and you don't have that other domain defined in a forward zone, it ain't gonna work.
I also wrote a perl script to do what you want. It's really quite simple with a couple modules from CPAN. But, it's not suitable for any sort of remotely demanding DNS environment. If it's just for your kid's computer
If you check out NetReg, in the download and installation instructions they have steps on how to set up forwards like this. NetReg uses it to require people to register their MAC address. Anyone not registered is forwarded to the registration page, but it would be simply to modify it using their example. We use NetReg at our university, and I am working expanding some of its functionality for my senior project.
I'm not sure if Posadis will meet your requirements or not. See here: http://posadis.sourceforge.net/
.
Something else to look into is this code written in Visual Basic* - please don't laugh - I've been using a hacked version for some time now to cache results and to pass certain lookups through tor_resolve. Url: http://www.csh.rit.edu/~jon/projects/caching_dns/
(If the author is reading this I've been meaning to say "thanks"!)
This might not work as requested but it works for my home network and parenting needs.
pdnsd
__________________________________
Free your mind - Flush your toilet
ATT invented some technology that does this, several years ago, but it was never released into the public domain. Their implementation was intended to operate as a DNS proxy which rewrote DNS replies so that no "internal" user ever received references to "external" hosts; given this functionality, filtering would be fairly simple.
add a record "* IN A 127.0.0.1" (this isn't really NXDOMAIN, but it does prevent people from getting places :)).
It gets mighty confusing if you're running a web server locally. Like my Mac does. And I have taken it onto networks that like sending you to 127.0.0.1. And wondered why I was getting my own website.
Can use winroute (kerio package) to act as a DNS only, have it default deny, then make up the wildcards you want (yes, it supports standard * and ! wildcards).
eg
*.google.com
www!.yourworkdomain.com
*sourceforge.net
...
So set it to something other than 127.0.0.1 -- 127.0.0.2 for example :)
Even better set it to the IP of a webserver that throws up an information page explaining why you can't browse to the site you're trying to visit, and who to contact if you think it's a mistake/problem.
Of course that won't help anything other than web traffic, but I'm guessing that's the main point of this exercise.
"Don't break my arse, my bargey wargey arse, I don't think my pants would understand..."
Forget the whole 127.0.0.1 game playing, this is VERY simple with BIND
Simply create zones for the domains you want to forward on to be looked up as type forward and disable the "." zone
And since when did Ask Slashdot become an IT troubleshooting forum?
Slashdot has always been an IT troubleshooting forum. What else are you going to do with it? Drink beer? I admit, beer and tacos are a good mix.
Forwarding requires recursion turned on. However, you can set up internal root nameservers which have a trimmed-down version of the DNS namespace, and also slave the zones you're interested in. This can be done very well with BIND.
Hi Slashdot. A friend of mine has been hitting on me for a few weeks now. And while I like him, his advances makes me uncomfortable. How do I tell him that I don't want a relationship, without damaging the friendship that we share?
Yo Slashdot. I've got this yellowish reddish spot. It's about the size of a quarter, and it's getting bigger. And it's all puffy and stuff. It's right on the back of my knee, but it doesn't really hurt. Should I be worried?
Hello. I'm going to Bill's house for a party, so I thought I'd bring a bottle of Castello di Borghese 71. But dear Muffy says that Bill just returned form the Promise clinic, and has to stay clean. What else should I bring to a party instead of wine? A dog or something?
I have a 1989 chevy K2500 that has a vacuum problem. truck runs very rough at idle. has a new egr valve that is working properly, new egr solenoid, all vacuum lines are good, everything is working like it is supposed to except that i am getting almost twice the vacuum to the egr than it is supposed to get. has anyone seen this problem before or any tips? thanks alot!
The ______ Agenda
Take a look at the "view" option in bind. You can set the internals up so that you only answer for selective things depending on who is asking. It is a bit tricky, but extremely powerfull.
What's the use in alowing google and not alowing the sites it links to?
I assume you will try to block google cache somehow, otherwise the workaround is rather easy as well...
Sig (appended to the end of comments I post, 54 chars)
Since you're trying to filter people's web access, and block teh pr0n, I'd say you should look into decent web caching software. Something like Squid surely has a way to only allow certain URLs.
I want to delete my account but Slashdot doesn't allow it.
Actually, the reserved localhost network is a full class-A, 127.x.x.x, so sending to 127.0.0.2 will have the same result on most clients.
09
Wouldn't a proxy server be better suited to this?
Dnsmasq is the easiest DNS server you will ever encounter. Ever. It's not meant to be a DNS server though, it's actually "just" a caching/forwarding dns query thingie. But you can define hosts and IPs in a hosts file, serve DHCP, do dynamic dns, filter queries, etc.
Basically you map in the domains you want to forward, and then make a wildcard record that points to 127.0.0.1 or something. I can't remember the syntax off the top of my head but it should be possible. If not that, just play with bind configuration for a couple days.
Twisted DNS should be pretty customizable, although your "I'm not adept at coding" will probably make it hard for you. Still, I throw it out there, in case someone else has an application that requires customized DNS. From a cleanliness and safety aspect, it's sure a better starting point than BIND.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
... that I'm glad this isn't (apparently) too easy to do? It should always be hard to break standards, especially on the Internet. Otherwise, the next thing you know, when powerful interest groups (think MPAA, RIAA, et al.) get large ISPs (think AOL, Comcast, et al.) in their back pockets... well, I think you can guess what happens next.
Break this! *obscene hand gesture*
Despite what EULAs say, most software is sold, not licensed.
I'll bet you are locked in to some specific Windows applications.
You really need to look into a proper solution, which would be migrating to a more secure OS like Linux.
You are being MICROattacked, from various angles, in a SOFT manner.
Real men use 4.2.2.1 & 4.2.2.2 as DNS servers so that you can't deprive them of pr0n.
My daughter had an online class. The class required IE, Flash, JS, and other holes in security counter to my web browsing guidelines. To prevent it becoming a melted down bot, I pointed it's network setting for DNS to localhost instead my residential gateway. (I know, I just broke the web) I then manualy put just the 7 required sites in the hosts file with correct URL addresses. The end result was the school sites worked and nothing else did. The online course worked like a charm without getting owned. The cavot is the machine could not be used for both homework and web browsing.
The truth shall set you free!
127.0.0.2 is, in any decent stack, also localhost. Actually 127/8 should all point to localhost, and is explicitly reserved for this use.
The IP-of-a-webserver is a decent approach, though. So long as said server has the rest of its ports explicitly closed, not stealthed.
I imagine dnscache (djbdns recursive name server) could do this.
/var/services/dnscache/root/servers/@,
/dev/null > @ /var/services/dnscache
... etc.
I'd try deleting all the entries in
and adding files named as the domains you want to look up, containing only
the IP address(es) of the name servers you want to forward to.
Nuking that @ file appears to give you the NXDOMAIN error like you desire:
[root@blah servers]# cat
[root@blah servers]# svc -h
[root@blah servers]# host www.monster.com 192.168.1.1
Using domain server 192.168.1.1:
Host not found, try again.
If you have a name server to forward to, say at "192.168.1.2" you just need to do
the following:
echo 192.168.1.2 > monster.com
echo 192.168.1.2 > google.com
echo 192.168.1.2 > slashdot.org
I just thought of something... (Actually, I had to go to bed first...and THEN realize this) The IP addresses you put into the domain-named files have to be authoritative name servers. So, whatever you get from a 'host -t ns slashdot.org' has to be in the "slashdot.org" file, etc. Make sure you use IP addresses, and not the hostnames for obvious reasons. OK, back to bed...