×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Selective DNS Caching/Forwarding

Cliff posted more than 7 years ago | from the resolve-only-what-you-want-it-to dept.

61

MaestroRC asks: "I've been looking around online, and I have found several people wanting to do the same thing, but no one seems to have figured it out yet. What I am wanting to do (and before you go further, understand this is for work, i.e.: no innocent people will be harmed in the implementation) is to set up a name server that selectively forwards queries. For example, I would like to create a list of acceptable domains (less than 20) using wildcards such as *.google.com, that the name server will forward a query on to and reply to normally. For anything not in the list, I want it to reply NXDOMAIN or some such. I've looked at BIND, and there doesn't appear to be a way to do what I'm wanting; it can either have recursion on or off, and any specific zones of type forward still do not forward if it is off. The solution doesn't have to be pretty, and it can just be a simple DNS proxy, but I'm not adept at coding, so it needs to be installable by a regular sysadmin on Linux. Has anyone heard of something like this?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

61 comments

one word: glue (1)

jroysdon (201893) | more than 7 years ago | (#16497201)

It won't work for the simple reason that you need dns glue, and you can't control where the glue will come from.

Re:one word: glue (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16497513)

I just read your retarded comment.

Re:one word: glue (1)

creimer (824291) | more than 7 years ago | (#16497615)

Must've been difficult for an AC to do that. :P

Re:one word: glue (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16497681)

1)No.
2)Why don't you go back to eating cookies.
3)Shut up.

Re:one word: glue (0)

Anonymous Coward | more than 7 years ago | (#16498243)

Well, no. A recursive resolver can handle all the glue it needs without giving that information to the client.

Can be done with W2K3 DNS Server... (4, Informative)

ErMaC (131019) | more than 7 years ago | (#16497225)

I'm not a Linux person, but I know a way you could do this with Windows Server 2003 DNS Server...
It has an option called "conditional forwarding" where you can forward anything ending with "example.com" to the DNS server x.x.x.x - just set up the DNS server and then set conditional forwarding of the domains you want to allow to a real DNS server.
We use this for setting up trusts between separate Active Directories but it could conceivably be used for this purpose as well.

Re:Can be done with W2K3 DNS Server... (5, Informative)

Phormion (861420) | more than 7 years ago | (#16498505)

BIND also provides exactly this through forward zones, nothing spectacular here.

Re:Can be done with W2K3 DNS Server... (0)

Anonymous Coward | more than 7 years ago | (#16504775)

Well, where do you think the Microsoft code came from? :P

djbdns? (0)

Anonymous Coward | more than 7 years ago | (#16497365)

I think you could do that easily with D.J.Bernstein's djbdns. Install dnscache and just remove root/servers/@ (or point it to a non-existent address) and configure the root/servers/DOMAINS you need. Of course, you'll have to track by hand changes on the IP addressess of those servers, but they shouldn't really change a lot that often.

Re:djbdns? (3, Informative)

r_naked (150044) | more than 7 years ago | (#16497407)

My solution is similar but with bind.

Edit the root.hints file and replace the root servers with 127.0.0.1. Then just list forwards for the domains you want to a nameserver that is capable of resolving them. Unfortunately with this method you will get a timeout on any domain that you don't have a forward for, not an NXDOMAIN.

Re:djbdns? (1)

Zapman (2662) | more than 7 years ago | (#16499641)

I haven't tried it, but you could probably set up a top level wild card domain, and force responses in it to be NXDOMAIN.

BIND v9 has a great Administrators Reference (bv9arm.pdf I think) that you should download and study if you want to do something like this. http://www.isc.org/sw/bind/arm93/Bv9ARM.pdf [isc.org]

Though you're probably better off looking into something like SQUID or some other internet proxy to do this internet access limitation... it will be more flexible.

Re:djbdns? (1)

MaestroRC (190789) | more than 7 years ago | (#16500191)

In our situation, DNS is the easiest way to limit it, because we have about 100 computers spread out among 100 locations, with no VPN or such things. Also, we don't want their actual traffic eating up our internet connection at the main office, since we only have a T1.

Re:djbdns? (1)

Zapman (2662) | more than 7 years ago | (#16501551)

You can control their DNS server, but not the other data/programs on the systems?

You might then be better off using a client side proxy, but I offer this piece of advice: If you can't trust your users to use their computers responsibly, why hire them?

(Unless you're in a kiosk situation, in which case this DNS based solution is nowhere near sufficient...)

Re:djbdns? (1)

MaestroRC (190789) | more than 7 years ago | (#16501963)

You're exactly right, I can control DNS server, but not what's on the machine (and the DNS is just a situation where the users aren't smart enough to know better, but even then only a manager would be able to change it). Where is this weird place, you might ask? It's a fast food restaurant. The reason we're doing this is mostly to prevent adware/spyware infections. Prior to doing our hosts file hack, we had 2-3 stores a week getting infected. Now, it's down to 1 every 2-3 months. There are 2 accounts on the machine, an admin account that is passworded, and a "store" account that is not, and is a limited user.

Re:djbdns? (1)

Zapman (2662) | more than 7 years ago | (#16504257)

If that's the case, you can up the security significantly by installing a nice, managed, client side firewall. I've only worked with Symantec for this service, but I'm sure there are others. Something that actually lets you limit the IP address ranges you can access, rather than 'this program can get to the internet, and this one can't'.

So, it's really a Windows problem then (1)

SpaceLifeForm (228190) | more than 7 years ago | (#16504263)


I'll bet you are locked in to some specific Windows applications.

You really need to look into a proper solution, which would be migrating to a more secure OS like Linux.

Re:So, it's really a Windows problem then (1)

MaestroRC (190789) | more than 7 years ago | (#16506589)

Would love to. However, I'm not only locked into what we have, I have no budget at all, and I have to make sure that basically no one ever requires re-training (for example, some of the stores are in California, and myself and the other half are in Tennessee. Some of the CA stores have been using Outlook Express for several years, and although we have a solid case against it for security reasons, I'm still not allowed to force any store that has an existing computer to give up OE and use Outlook Web Access; I have to wait until they get a replacement computer from us).

Also, there are a few programs they use for training purposes that are Windows-only, which would require using Crossover or Wine. Honestly, even if I came up with a perfect fit for what they are used for, I still wouldn't be able to roll it out. We also have an issue where our systems are dying because of greasy dust from the fryers all day getting stuck in the fans and other moving components, but the higher ups would rather us throw money at the existing machines than to get some small fanless machines with flash disks (which only cost about 2-3 times a single cleaning/imaging costs).

Re:So, it's really a Windows problem then (0)

Anonymous Coward | more than 7 years ago | (#16599578)

Can you replace IE with Firefox? Install FF, and disable IE via registry. I had similar issues with staff installing 3rd party applications, spyware, active X controlls and virii when looking for non work related material.

Firefox has fixed most of these issues that IE introduces in regards to security and unsolicited software installs.

Failing this, there are ways to lock IE down to very basic user rights, lower than UserLevel security accounts, but this varies OS-OS and IE version.

Other than this I would have to agree with everyone else about setting up Proxy/Squid servers. You can now buy very inexpensive Cisco Content Engines (Proxy) under $100 and place one at each store/location, I'm guessing less than it costs you to fix these per month. They can be placed well away from your grease areas in an unventilated cupboard (providing there is not to much heat in there). This might also save you costs on bandwidth, and give you the benifit of content control.

Re:So, it's really a Windows problem then (1)

MaestroRC (190789) | more than 7 years ago | (#16603122)

Again, this is all avoiding the actual question I had, which was pointed as it was because of the situation I'm in, which is somewhat unique. No, I can't buy anything for each store, because even $100/store*100 stores is $10,000, which is about 1/2-1/3 of my yearly salary (I only do this job part time, 10-15 hours a week during the semester and 30 hours/week over the holidays). As I mentioned before, my budget is literally $0.

Also, I cannot remove/lock down IE any more than it already is, because they have to be able to place food orders at sites that are (sadly) IE only, and require specific components to work correctly (mostly, expecting a completely basic setup of IE, with no restrictions).

Proxy through our corporate office is also out, because as I mentioned before, we don't have the bandwidth there to support it (even a trickle of 10KB/sec from an average of 40 stores online at a time (40%) is still about a third of our bandwidth). Increasing our bandwidth is also not an option due to budget issues. Even if it's caching, it's still going ver our outbound pipe, which is still not good.

Really, the only options I have are A, write a program that will periodically check one of our servers for an updated hosts file, and overwrite it; B, set up each store to point to one of our servers for DNS, that will filter their requests and allow through only traffic we wish to allow (preferable); or C, continue what we're doing now, which is to set DNS to 1.1.1.1 and put everything they need in a hosts file, and keep their user from being able to modify that file or the network settings.

Right now the higher-ups are preferring C, because we have an army of district managers that are paid considerably less than myself that we can train to go to their sites and update manually. However, because like any trained monkey doing repetitive tasks they get bored and start slacking off, the stores haven't been getting updated lately and I'm looking for a way to take the human element out of it, which leaves me with options A and B currently.

Hack your system's C library. (0)

Anonymous Coward | more than 7 years ago | (#16497385)

Many applications use various routines within the C library on a system to resolve hostnames.

I don't know how glibc handles it, but on FreeBSD one could hack the res_*() and dn_*() functions to add the functionality you require.

Straight to the packet filtering? (0)

_iris (92554) | more than 7 years ago | (#16497393)

Why not just use packet filtering to drop DNS packets from your DNS caching server that do not contain the whitelisted domains in their payload? Your DNS caching daemon would just temporarily fail.

Re:Straight to the packet filtering? (0)

Anonymous Coward | more than 7 years ago | (#16497547)

omg, what a dirty hack.
hope you don't handle any important networks ;)

Re:Straight to the packet filtering? (5, Informative)

arivanov (12034) | more than 7 years ago | (#16497781)

No need to drop.

Selectively change the destination name server using DNAT and send it to a fake name server. I use a similar hack for other less nefarious purposes. It used to be (before wireless hotspot ops got inventive) a very good way of supplying roaming clients with a well behaved and working DNS. You set the nameservers in the client to two well known, well behaved nameservers so it works with the VPN down. You also set the firewall/VPN gw to hijack all traffic to these well known nameservers coming down the VPN and direct it to your nameservers. As a result the clients consistently get good DNS after the VPN gets brought up and you do not get any silly split DNS scenarios.

Alternatively, besides master and slave there are several less known zone types. You should be able to achieve results similar to what you are looking for by using forward or stub type zones. This will give you a "bind-only" solution without playing silly firewall games.

some quick research (0)

mikesd81 (518581) | more than 7 years ago | (#16497403)

I stumbled upon this link [oreilly.com] you may be able to pull the electronic version of the book from somewhere... I don't know if this helps.

BIND can kind of do what you want. So can perl. (2, Informative)

Anonymous Coward | more than 7 years ago | (#16497405)

I tried to do something similar to this once. In BIND, you can define a zone called "." In there, add a record "* IN A 127.0.0.1" (this isn't really NXDOMAIN, but it does prevent people from getting places :)). Then create forward zones for each domain you want to resolve properly.

There are [at least] 2 problems with this. 1) You have to keep the forwarders up to date for the zones you list. 2) If google decides to make www.google.com a CNAME for www.google.akamai.net (OK, Google probably wouldn't do this, but Apple, Microsoft, etc do) and you don't have that other domain defined in a forward zone, it ain't gonna work.

I also wrote a perl script to do what you want. It's really quite simple with a couple modules from CPAN. But, it's not suitable for any sort of remotely demanding DNS environment. If it's just for your kid's computer ... then it'll probably suffice.

Re:BIND can kind of do what you want. So can perl. (1)

Geoffreyerffoeg (729040) | more than 7 years ago | (#16497811)

add a record "* IN A 127.0.0.1" (this isn't really NXDOMAIN, but it does prevent people from getting places :)).

It gets mighty confusing if you're running a web server locally. Like my Mac does. And I have taken it onto networks that like sending you to 127.0.0.1. And wondered why I was getting my own website.

Re:BIND can kind of do what you want. So can perl. (3, Informative)

Bargearse (68504) | more than 7 years ago | (#16497895)

So set it to something other than 127.0.0.1 -- 127.0.0.2 for example :)

Even better set it to the IP of a webserver that throws up an information page explaining why you can't browse to the site you're trying to visit, and who to contact if you think it's a mistake/problem.

Of course that won't help anything other than web traffic, but I'm guessing that's the main point of this exercise.

Re:BIND can kind of do what you want. So can perl. (1)

zerOnIne (128186) | more than 7 years ago | (#16499969)

Actually, the reserved localhost network is a full class-A, 127.x.x.x, so sending to 127.0.0.2 will have the same result on most clients.

Re:BIND can kind of do what you want. So can perl. (1)

Geoffreyerffoeg (729040) | more than 7 years ago | (#16512751)

127.0.0.2 is, in any decent stack, also localhost. Actually 127/8 should all point to localhost, and is explicitly reserved for this use.

The IP-of-a-webserver is a decent approach, though. So long as said server has the rest of its ports explicitly closed, not stealthed.

Re:BIND can kind of do what you want. So can perl. (4, Informative)

dmayle (200765) | more than 7 years ago | (#16498103)

Forget the whole 127.0.0.1 game playing, this is VERY simple with BIND

Simply create zones for the domains you want to forward on to be looked up as type forward and disable the "." zone

And since when did Ask Slashdot become an IT troubleshooting forum?

Tacomaster's IT troubleshooting forum (1)

sowth (748135) | more than 7 years ago | (#16498429)

Slashdot has always been an IT troubleshooting forum. What else are you going to do with it? Drink beer? I admit, beer and tacos are a good mix.

Ask Slashdot, the non IT troubleshooting forum (4, Funny)

cgenman (325138) | more than 7 years ago | (#16498635)

Hi Slashdot. A friend of mine has been hitting on me for a few weeks now. And while I like him, his advances makes me uncomfortable. How do I tell him that I don't want a relationship, without damaging the friendship that we share?

Yo Slashdot. I've got this yellowish reddish spot. It's about the size of a quarter, and it's getting bigger. And it's all puffy and stuff. It's right on the back of my knee, but it doesn't really hurt. Should I be worried?

Hello. I'm going to Bill's house for a party, so I thought I'd bring a bottle of Castello di Borghese 71. But dear Muffy says that Bill just returned form the Promise clinic, and has to stay clean. What else should I bring to a party instead of wine? A dog or something?

I have a 1989 chevy K2500 that has a vacuum problem. truck runs very rough at idle. has a new egr valve that is working properly, new egr solenoid, all vacuum lines are good, everything is working like it is supposed to except that i am getting almost twice the vacuum to the egr than it is supposed to get. has anyone seen this problem before or any tips? thanks alot!

Re:Ask Slashdot, the non IT troubleshooting forum (5, Funny)

jamesh (87723) | more than 7 years ago | (#16499019)

Hi Slashdot. A friend of mine has been hitting on me for a few weeks now. And while I like him, his advances makes me uncomfortable. How do I tell him that I don't want a relationship, without damaging the friendship that we share?

There's nothing you can do. His side of the friendship is based on the fact that he wants to bone you. The best you can hope for is that he gets the idea that one of your friends thinks he's cute... then maybe he'll bother her instead.

Yo Slashdot. I've got this yellowish reddish spot. It's about the size of a quarter, and it's getting bigger. And it's all puffy and stuff. It's right on the back of my knee, but it doesn't really hurt. Should I be worried?

Try bathing.

Hello. I'm going to Bill's house for a party, so I thought I'd bring a bottle of Castello di Borghese 71. But dear Muffy says that Bill just returned form the Promise clinic, and has to stay clean. What else should I bring to a party instead of wine? A dog or something?

Depriving you of a drinking buddy is one of the most selfish things a man can do. If he can't handle the booze then that's his own problem. Don't let it ruin your day.

I have a 1989 chevy K2500 that has a vacuum problem. truck runs very rough at idle. has a new egr valve that is working properly, new egr solenoid, all vacuum lines are good, everything is working like it is supposed to except that i am getting almost twice the vacuum to the egr than it is supposed to get. has anyone seen this problem before or any tips? thanks alot!

Your car clearly sucks. Deal with it.

Re:Ask Slashdot, the non IT troubleshooting forum (1)

orasio (188021) | more than 7 years ago | (#16500009)

Hi Slashdot. A friend of mine has been hitting on me for a few weeks now. And while I like him, his advances makes me uncomfortable. How do I tell him that I don't want a relationship, without damaging the friendship that we share?


He will understand if you don't want a relationship. If he gets romantic on you, just give him a BJ for comfort, and tell him you only want to be friends.


Yo Slashdot. I've got this yellowish reddish spot. It's about the size of a quarter, and it's getting bigger. And it's all puffy and stuff. It's right on the back of my knee, but it doesn't really hurt. Should I be worried?


What is your Zodiac sign? Cancer? I thought so. Start shopping for a cane.


Hello. I'm going to Bill's house for a party, so I thought I'd bring a bottle of Castello di Borghese 71. But dear Muffy says that Bill just returned form the Promise clinic, and has to stay clean. What else should I bring to a party instead of wine? A dog or something?


Cocaine.


I have a 1989 chevy K2500 that has a vacuum problem. truck runs very rough at idle. has a new egr valve that is working properly, new egr solenoid, all vacuum lines are good, everything is working like it is supposed to except that i am getting almost twice the vacuum to the egr than it is supposed to get. has anyone seen this problem before or any tips? thanks alot!


Get a Toyota. You are not man enough to handle a chevy.

Re:Ask Slashdot, the non IT troubleshooting forum (0)

Anonymous Coward | more than 7 years ago | (#16500535)

not... man enough... to handle a... chevy

Huh? I've reread this a dozen times, and while it parses okay, semantically it just doesn't make any sense. Now, if you'd said Dodge, or even Ford, fine, but Chevy?

Re:BIND can kind of do what you want. So can perl. (1)

Bipoha (540839) | more than 7 years ago | (#16588978)

I imagine dnscache (djbdns recursive name server) could do this.

I'd try deleting all the entries in /var/services/dnscache/root/servers/@,
and adding files named as the domains you want to look up, containing only
the IP address(es) of the name servers you want to forward to.

Nuking that @ file appears to give you the NXDOMAIN error like you desire:

[root@blah servers]# cat /dev/null > @
[root@blah servers]# svc -h /var/services/dnscache
[root@blah servers]# host www.monster.com 192.168.1.1
Using domain server 192.168.1.1:
Host not found, try again.

If you have a name server to forward to, say at "192.168.1.2" you just need to do
the following:

echo 192.168.1.2 > monster.com
echo 192.168.1.2 > google.com
echo 192.168.1.2 > slashdot.org ... etc.

Re:BIND can kind of do what you want. So can perl. (1)

Bipoha (540839) | more than 7 years ago | (#16589142)

I just thought of something... (Actually, I had to go to bed first...and THEN realize this) The IP addresses you put into the domain-named files have to be authoritative name servers. So, whatever you get from a 'host -t ns slashdot.org' has to be in the "slashdot.org" file, etc. Make sure you use IP addresses, and not the hostnames for obvious reasons. OK, back to bed...

NetReg (2, Interesting)

GraffitiKnight (724507) | more than 7 years ago | (#16497469)

If you check out NetReg [netreg.org] , in the download and installation instructions they have steps on how to set up forwards like this. NetReg uses it to require people to register their MAC address. Anyone not registered is forwarded to the registration page, but it would be simply to modify it using their example. We use NetReg at our university, and I am working expanding some of its functionality for my senior project.

Re:NetReg (1)

lightyear4 (852813) | more than 7 years ago | (#16497863)

We use netreg at my university (and I work for the IT netsec dept); if you're looking for specific functionality, we might be able to help. Drop me an email.

Posadis? (1)

jginspace (678908) | more than 7 years ago | (#16497485)

I'm not sure if Posadis will meet your requirements or not. See here: http://posadis.sourceforge.net/ [sourceforge.net]

Something else to look into is this code written in Visual Basic* - please don't laugh - I've been using a hacked version for some time now to cache results and to pass certain lookups through tor_resolve. Url: http://www.csh.rit.edu/~jon/projects/caching_dns/ [rit.edu] .

(If the author is reading this I've been meaning to say "thanks"!)

Re:Posadis? (1)

jginspace (678908) | more than 7 years ago | (#16497583)

(replying to myself)

I just saw that you mentioned Linux. Also check out Dnsmasq, http://en.wikipedia.org/wiki/Dnsmasq [wikipedia.org] ... "Dnsmasq can be configured to send queries for certain domains to upstream servers handling only those domains..

There's a guide for installing on Ubuntu here: http://ubuntu.wordpress.com/2006/08/02/local-dns-c ache-for-faster-browsing/ [wordpress.com]

Re:Posadis? (1)

NoMaster (142776) | more than 7 years ago | (#16498263)

Just watch out if you're using it as a DHCP server as well - like many simpler servers, it doesn't play well with many embedded-type clients e.g. NSLU2s, network printers, XBoxes, etc.

Not totally its fault; the clients are to blame too, as well as some glaring holes in the DHCP spec.

horse shoes and hand grenades (1)

GMC-jimmy (243376) | more than 7 years ago | (#16497607)

This might not work as requested but it works for my home network and parenting needs.

pdnsd [freshmeat.net]

it's been done (0)

Anonymous Coward | more than 7 years ago | (#16497687)

ATT invented some technology that does this, several years ago, but it was never released into the public domain. Their implementation was intended to operate as a DNS proxy which rewrote DNS replies so that no "internal" user ever received references to "external" hosts; given this functionality, filtering would be fairly simple.

Windows solution (1)

Barny (103770) | more than 7 years ago | (#16497891)

Can use winroute (kerio package) to act as a DNS only, have it default deny, then make up the wildcards you want (yes, it supports standard * and ! wildcards).

eg

*.google.com

www!.yourworkdomain.com

*sourceforge.net

Re:Windows solution (1)

Barny (103770) | more than 7 years ago | (#16497905)

Argg, took a look at our winroute setup (dimly remeber setting it up ages ago) and it would need to be acting as a proxy to do this.

Allways another option of course, block everything at the firewall and lock down their access at the proxy.

Forwarding requires recursion (1)

Phormion (861420) | more than 7 years ago | (#16498555)

Forwarding requires recursion turned on. However, you can set up internal root nameservers which have a trimmed-down version of the DNS namespace, and also slave the zones you're interested in. This can be done very well with BIND.

Bind views for selective DNS caching/forwarding (1)

BSAtHome (455370) | more than 7 years ago | (#16499233)

Take a look at the "view" option in bind. You can set the internals up so that you only answer for selective things depending on who is asking. It is a bit tricky, but extremely powerfull.

Google? (1)

morie (227571) | more than 7 years ago | (#16499327)

What's the use in alowing google and not alowing the sites it links to?

I assume you will try to block google cache somehow, otherwise the workaround is rather easy as well...

Re:Google? (0)

Anonymous Coward | more than 7 years ago | (#16499397)

For searching large sites that they can used but which don't have a decent search facility?

I often find what 'm looking for in Micrsoft's online MSDN easier using Google's "serch this site" rather than the built-in search.

It's called Websense, maybe Squid (1)

Gothmolly (148874) | more than 7 years ago | (#16499463)

Since you're trying to filter people's web access, and block teh pr0n, I'd say you should look into decent web caching software. Something like Squid surely has a way to only allow certain URLs.

Re:It's called Websense, maybe Squid (1)

HoosierPeschke (887362) | more than 7 years ago | (#16499885)

If you're going the squid route, DansGuardian works great! It's easy to configure and blocks out a lot of crap!

Re:It's called Websense, maybe Squid (1)

MaestroRC (190789) | more than 7 years ago | (#16500593)

I mentioned this to a previous comment, but you may not see it. I wasn't very clear on this point; the computers we're restricting are at 100 (literally) different locations, and we only have a tiny T1 pipe at the central office. In other words, it's not efficient for us to do caching/proxying. Right now we're using DNS set to 1.1.1.1 and a hosts file to do the same thing, but it's getting annoying updating 100 sites when a host changes or needs to be added.

Re:It's called Websense, maybe Squid (2, Informative)

cr0sh (43134) | more than 7 years ago | (#16509669)

Why is it annoying? Aside from the fact that you have to update a hosts file (ugh), you should just have a cron job (or equiv) on each of those computers to pull down the new hosts file and install it, at some "low usage" time (depending on where the computers are located geographically/timezone-wise). An even better solution would be: if those machine are individual workstations, set up a "host file server" at each group of computers location - and have them pull from their local "cache" copy on that server. Then, each of the servers grabs from the central hosts file publishing server at low usage times (of course, it is likely that those 100+ machines are the servers for 100+ locations, in which case the first solution is more appropriate). Another possibility would be similar, but instead it would be distributed: first, set up a periodic cron task (say every 12 hours) to keep the time on each server equal to the time on one of a randomly picked server in a pool within each time zone (if they are distributed across time zones - if not, it becomes simple). Have a seperate cron job that runs every hour or so and randomly picks on servers in its own time zone to check and see if the time and checksum on that servers hosts file is the same as the calling server's host file. If the time/checksum is different, have it grab the hosts file from there. If a server has to ask another server outside of the time zone (maybe one can be dedicated to do this?), then hours would have to be added/subtracted depending on what timezone it is in - but overall, you should be able to set things up so it can compare the times, and make sure that the times (+/- for timezones) match. Then, you just publish on your one machine, and all of the other machines (over a few hours) automagically via a distributed system, update their hosts files, because it changed on one machine and the neighbors noticed - let's call this the "keeping up with the Jones'" method of distributed file propagation...

dnsmasq FTW (0)

Anonymous Coward | more than 7 years ago | (#16500705)

Dnsmasq is the easiest DNS server you will ever encounter. Ever. It's not meant to be a DNS server though, it's actually "just" a caching/forwarding dns query thingie. But you can define hosts and IPs in a hosts file, serve DHCP, do dynamic dns, filter queries, etc.

Basically you map in the domains you want to forward, and then make a wildcard record that points to 127.0.0.1 or something. I can't remember the syntax off the top of my head but it should be possible. If not that, just play with bind configuration for a couple days.

Maybe look at Twisted DNS (1)

Sloppy (14984) | more than 7 years ago | (#16501625)

Twisted DNS [twistedmatrix.com] should be pretty customizable, although your "I'm not adept at coding" will probably make it hard for you. Still, I throw it out there, in case someone else has an application that requires customized DNS. From a cleanliness and safety aspect, it's sure a better starting point than BIND.

Can I be the first to say.... (1)

slcdb (317433) | more than 7 years ago | (#16503073)

... that I'm glad this isn't (apparently) too easy to do? It should always be hard to break standards, especially on the Internet. Otherwise, the next thing you know, when powerful interest groups (think MPAA, RIAA, et al.) get large ISPs (think AOL, Comcast, et al.) in their back pockets... well, I think you can guess what happens next.

Break this! *obscene hand gesture*

Real men (0)

Anonymous Coward | more than 7 years ago | (#16506671)

Real men use 4.2.2.1 & 4.2.2.2 as DNS servers so that you can't deprive them of pr0n.

For a single machine it's simple.. (1)

Technician (215283) | more than 7 years ago | (#16512723)

My daughter had an online class. The class required IE, Flash, JS, and other holes in security counter to my web browsing guidelines. To prevent it becoming a melted down bot, I pointed it's network setting for DNS to localhost instead my residential gateway. (I know, I just broke the web) I then manualy put just the 7 required sites in the hosts file with correct URL addresses. The end result was the school sites worked and nothing else did. The online course worked like a charm without getting owned. The cavot is the machine could not be used for both homework and web browsing.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...