Selective DNS Caching/Forwarding 61
MaestroRC asks: "I've been looking around online, and I have found several people wanting to do the same thing, but no one seems to have figured it out yet. What I am wanting to do (and before you go further, understand this is for work, i.e.: no innocent people will be harmed in the implementation) is to set up a name server that selectively forwards queries. For example, I would like to create a list of acceptable domains (less than 20) using wildcards such as *.google.com, that the name server will forward a query on to and reply to normally. For anything not in the list, I want it to reply NXDOMAIN or some such.
I've looked at BIND, and there doesn't appear to be a way to do what I'm wanting; it can either have recursion on or off, and any specific zones of type forward still do not forward if it is off. The solution doesn't have to be pretty, and it can just be a simple DNS proxy, but I'm not adept at coding, so it needs to be installable by a regular sysadmin on Linux. Has anyone heard of something like this?"
one word: glue (Score:2)
Re: (Score:2)
Can be done with W2K3 DNS Server... (Score:5, Informative)
It has an option called "conditional forwarding" where you can forward anything ending with "example.com" to the DNS server x.x.x.x - just set up the DNS server and then set conditional forwarding of the domains you want to allow to a real DNS server.
We use this for setting up trusts between separate Active Directories but it could conceivably be used for this purpose as well.
Re:Can be done with W2K3 DNS Server... (Score:5, Informative)
Re: (Score:3, Informative)
Edit the root.hints file and replace the root servers with 127.0.0.1. Then just list forwards for the domains you want to a nameserver that is capable of resolving them. Unfortunately with this method you will get a timeout on any domain that you don't have a forward for, not an NXDOMAIN.
Re: (Score:2)
BIND v9 has a great Administrators Reference (bv9arm.pdf I think) that you should download and study if you want to do something like this. http://www.isc.org/sw/bind/arm93/Bv9ARM.pdf [isc.org]
Though you're probably better off looking into something like SQUID or some other internet proxy to do this internet access limitation... it will be more flexible.
Re: (Score:2)
Re: (Score:2)
You might then be better off using a client side proxy, but I offer this piece of advice: If you can't trust your users to use their computers responsibly, why hire them?
(Unless you're in a kiosk situation, in which case this DNS based solution is nowhere near sufficient...)
Re: (Score:2)
Re: (Score:2)
So, it's really a Windows problem then (Score:2)
I'll bet you are locked in to some specific Windows applications.
You really need to look into a proper solution, which would be migrating to a more secure OS like Linux.
Re: (Score:2)
Re: (Score:2)
Also, I cannot remove/lock down IE any more than it already is, because they hav
Straight to the packet filtering? (Score:1)
Re:Straight to the packet filtering? (Score:5, Informative)
Selectively change the destination name server using DNAT and send it to a fake name server. I use a similar hack for other less nefarious purposes. It used to be (before wireless hotspot ops got inventive) a very good way of supplying roaming clients with a well behaved and working DNS. You set the nameservers in the client to two well known, well behaved nameservers so it works with the VPN down. You also set the firewall/VPN gw to hijack all traffic to these well known nameservers coming down the VPN and direct it to your nameservers. As a result the clients consistently get good DNS after the VPN gets brought up and you do not get any silly split DNS scenarios.
Alternatively, besides master and slave there are several less known zone types. You should be able to achieve results similar to what you are looking for by using forward or stub type zones. This will give you a "bind-only" solution without playing silly firewall games.
some quick research (Score:1)
BIND can kind of do what you want. So can perl. (Score:2, Informative)
There are [at least] 2 problems with this. 1) You have to keep the forwarders up to date for the zones you list. 2) If google decides to make www.google.com a CNAME for www.google.akamai.net (OK, Google probably wouldn't do th
Re: (Score:2)
It gets mighty confusing if you're running a web server locally. Like my Mac does. And I have taken it onto networks that like sending you to 127.0.0.1. And wondered why I was getting my own website.
Re: (Score:3, Informative)
Even better set it to the IP of a webserver that throws up an information page explaining why you can't browse to the site you're trying to visit, and who to contact if you think it's a mistake/problem.
Of course that won't help anything other than web traffic, but I'm guessing that's the main point of this exercise.
Re: (Score:2)
Re: (Score:2)
The IP-of-a-webserver is a decent approach, though. So long as said server has the rest of its ports explicitly closed, not stealthed.
Re:BIND can kind of do what you want. So can perl. (Score:5, Informative)
Forget the whole 127.0.0.1 game playing, this is VERY simple with BIND
Simply create zones for the domains you want to forward on to be looked up as type forward and disable the "." zone
And since when did Ask Slashdot become an IT troubleshooting forum?
Tacomaster's IT troubleshooting forum (Score:1)
Ask Slashdot, the non IT troubleshooting forum (Score:5, Funny)
Yo Slashdot. I've got this yellowish reddish spot. It's about the size of a quarter, and it's getting bigger. And it's all puffy and stuff. It's right on the back of my knee, but it doesn't really hurt. Should I be worried?
Hello. I'm going to Bill's house for a party, so I thought I'd bring a bottle of Castello di Borghese 71. But dear Muffy says that Bill just returned form the Promise clinic, and has to stay clean. What else should I bring to a party instead of wine? A dog or something?
I have a 1989 chevy K2500 that has a vacuum problem. truck runs very rough at idle. has a new egr valve that is working properly, new egr solenoid, all vacuum lines are good, everything is working like it is supposed to except that i am getting almost twice the vacuum to the egr than it is supposed to get. has anyone seen this problem before or any tips? thanks alot!
Re:Ask Slashdot, the non IT troubleshooting forum (Score:5, Funny)
There's nothing you can do. His side of the friendship is based on the fact that he wants to bone you. The best you can hope for is that he gets the idea that one of your friends thinks he's cute... then maybe he'll bother her instead.
Try bathing.
Depriving you of a drinking buddy is one of the most selfish things a man can do. If he can't handle the booze then that's his own problem. Don't let it ruin your day.
Your car clearly sucks. Deal with it.
Re: (Score:2)
He will understand if you don't want a relationship. If he gets romantic on you, just give him a BJ for comfort, and tell him you only want to be friends.
Yo Slashdot. I've got this yellowish reddish spot. It's about the size of a quarter, and it's getting bigger. And it's all puff
Re: (Score:1)
I'd try deleting all the entries in
and adding files named as the domains you want to look up, containing only
the IP address(es) of the name servers you want to forward to.
Nuking that @ file appears to give you the NXDOMAIN error like you desire:
[root@blah servers]# cat
[root@blah servers]# svc -h
[root@blah servers]# host www.monster.com 192.168.1.1
Using domain server
Re: (Score:1)
NetReg (Score:2, Interesting)
Re: (Score:2)
Posadis? (Score:2)
Something else to look into is this code written in Visual Basic* - please don't laugh - I've been using a hacked version for some time now to cache results and to pass certain lookups through tor_resolve. Url: http://www.csh.rit.edu/~jon/projects/caching_dns/ [rit.edu].
(If the author is reading this I've been meaning to say "thanks"!)
Re: (Score:2)
I just saw that you mentioned Linux. Also check out Dnsmasq, http://en.wikipedia.org/wiki/Dnsmasq [wikipedia.org]
There's a guide for installing on Ubuntu here: http://ubuntu.wordpress.com/2006/08/02/local-dns-c ache-for-faster-browsing/ [wordpress.com]
Re: (Score:2)
Not totally its fault; the clients are to blame too, as well as some glaring holes in the DHCP spec.
horse shoes and hand grenades (Score:2)
pdnsd [freshmeat.net]
Windows solution (Score:2)
eg
*.google.com
www!.yourworkdomain.com
*sourceforge.net
Re: (Score:1)
Allways another option of course, block everything at the firewall and lock down their access at the proxy.
Forwarding requires recursion (Score:1)
Google? (Score:2)
I assume you will try to block google cache somehow, otherwise the workaround is rather easy as well...
It's called Websense, maybe Squid (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Informative)
Proxy?? (Score:1)
Maybe look at Twisted DNS (Score:2)
Can I be the first to say.... (Score:2)
Break this! *obscene hand gesture*
For a single machine it's simple.. (Score:2)