On Sun, Aug 07, 2011 at 03:05:25PM +0100, Sam Crawford wrote:
I'm looking to selectively block certain domains using dnsmasq by
rewriting responses. I realise this can already be done statically
through config files, but I want this to be more dynamic and intend
to operate a set of DNS servers that maintains a list of blocked
I think the thing to change in this grand scheme is what the set of
DNS servers will return. They could be authoritative for blocked
domains, and recursive for everything else. In that case no code
hacks are necessary; you simply use these servers as the upstream
servers for dnsmasq.
It's also possible to use dnsmasq in this upstream role, loading
a list of blocked domains as a hosts file, SIGHUP (IIRC) when it
changes.
domains (as this will be (a) a large list and (b) be used by
numerous clients, so should be centrally managed). So, I'm imaging
the query flow would go a little like this:
1) Client in LAN makes A query for www.example.com to dnsmasq
2) dnsmasq forwards query to ISP-hosted resolver
3) dnsmasq receives response from ISP-hosted resolver
4) dnsmasq sends query to special DNS server to check for blocked status
5) dnsmasq receives response from special 'blocked' DNS server
6) If the query to the 'blocked' DNS server dnsmasq returns success (a
certain magic number), then return the real response to the user
(obtained in step 3), otherwise a spoofed address (e.g. localhost)
What RRtype would this magic number be? My idea also requires no
protocol-level hacks.
Having done domain blocking before, I would recommend that the
address returned for A query point to a special HTTP host with a
page telling the user that the domain was blocked, and why. A simple
static HTML page (which is also used as the 404 page) would suffice.
(Of course, I'd intend to introduce caching in steps 4/5 as
dnsmasq does normally for its forwarding functionality).
A couple of questions arise:
1) Is this a sensible thing to be doing in dnsmasq? Is there
something else that does it natively that I've overlooked?
2) Can anyone point me towards where I should start looking in
the source to incorporate the changes?
Any advice would be greatly appreciated. I've searched the mailing
list archives and couldn't find anything quite like this.
DNS-level domain blocking is not a new idea. http://pgl.yoyo.org/as/
was helpful in my project back in '05 or so. OpenDNS implements a
domain blocking feature as well. http://www.malwaredomains.com/ may
also be of interest.
--
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header