Re: [Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
On Mon, Aug 15, 2011 at 7:21 PM, Ed W li...@wildgooses.com wrote: On 15/08/2011 14:16, richardvo...@gmail.com wrote: The next step is to focus on the changes required at the dnsmasq level (client side). I appreciate your suggestions regarding the CPAN modules, but I'm intending for this to function on small embedded devices (typically ~4MB flash), and getting Perl on there is quite unlikely. miniperl and microperl are pretty small, although distributions for such routers may have crammed the flash nearly full already. I think if you want perl then you need perl. It's a nice idea, but with only 4MB you need to look at something more compact than perl Hello, If you are too concerned about space or cant cross compile perl, i have a patch that does what you want to do. Its not much, but should help you. http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q2/005050.html
Re: [Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
Ed, Many thanks for the suggestion. You're quite right - my server-side idea was effectively re-inventing the wheel. I've ended up going with rbldnsd, which has been a breeze to setup for this task (even with millions of records) and no code changes were required. The next step is to focus on the changes required at the dnsmasq level (client side). I appreciate your suggestions regarding the CPAN modules, but I'm intending for this to function on small embedded devices (typically ~4MB flash), and getting Perl on there is quite unlikely. Thanks, Sam On 8 August 2011 14:18, Ed W li...@wildgooses.com wrote: On 07/08/2011 19:22, Sam Crawford wrote: I also wish for the dnsmasq host to have some logic and act upon the response from the server (so the logic couldn't be entirely server-side). The server would return a set of TXT records (indicating the classifications of the domains) if it were classified, and NXDOMAIN otherwise. Based upon these classifications returned from the server and *local* configuration of the host running dnsmasq, the original client would then either be sent back the real response (from the ISP server) or an A record pointing at the dnsmasq host (which would also be running a small webserver with a static page, as you suggested). This basic problem is used a lot in mail blacklisting. I would suggest taking a look at the techniques used for rbldns and I think you will also find some example software which does very high speed lookups into massive rbl lists (if for example you want to benchmark alternative implementations to dnsmasq) Also if necessary you can use Perl (or something else) to create your own resolver which has the necessary logic (ie check here, if no response then check there) http://search.cpan.org/search?query=dnsmode=all Good luck - interested to hear how you solve this! Ed W ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
On Mon, Aug 15, 2011 at 7:02 AM, Sam Crawford samcrawf...@gmail.com wrote: Ed, Many thanks for the suggestion. You're quite right - my server-side idea was effectively re-inventing the wheel. I've ended up going with rbldnsd, which has been a breeze to setup for this task (even with millions of records) and no code changes were required. The next step is to focus on the changes required at the dnsmasq level (client side). I appreciate your suggestions regarding the CPAN modules, but I'm intending for this to function on small embedded devices (typically ~4MB flash), and getting Perl on there is quite unlikely. miniperl and microperl are pretty small, although distributions for such routers may have crammed the flash nearly full already. Thanks, Sam On 8 August 2011 14:18, Ed W li...@wildgooses.com wrote: On 07/08/2011 19:22, Sam Crawford wrote: I also wish for the dnsmasq host to have some logic and act upon the response from the server (so the logic couldn't be entirely server-side). The server would return a set of TXT records (indicating the classifications of the domains) if it were classified, and NXDOMAIN otherwise. Based upon these classifications returned from the server and *local* configuration of the host running dnsmasq, the original client would then either be sent back the real response (from the ISP server) or an A record pointing at the dnsmasq host (which would also be running a small webserver with a static page, as you suggested). This basic problem is used a lot in mail blacklisting. I would suggest taking a look at the techniques used for rbldns and I think you will also find some example software which does very high speed lookups into massive rbl lists (if for example you want to benchmark alternative implementations to dnsmasq) Also if necessary you can use Perl (or something else) to create your own resolver which has the necessary logic (ie check here, if no response then check there) http://search.cpan.org/search?query=dnsmode=all Good luck - interested to hear how you solve this! Ed W ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
On 15/08/2011 14:16, richardvo...@gmail.com wrote: On Mon, Aug 15, 2011 at 7:02 AM, Sam Crawford samcrawf...@gmail.com wrote: Ed, Many thanks for the suggestion. You're quite right - my server-side idea was effectively re-inventing the wheel. I've ended up going with rbldnsd, which has been a breeze to setup for this task (even with millions of records) and no code changes were required. The next step is to focus on the changes required at the dnsmasq level (client side). I appreciate your suggestions regarding the CPAN modules, but I'm intending for this to function on small embedded devices (typically ~4MB flash), and getting Perl on there is quite unlikely. miniperl and microperl are pretty small, although distributions for such routers may have crammed the flash nearly full already. I think if you want perl then you need perl. It's a nice idea, but with only 4MB you need to look at something more compact than perl Interested to see where you go with dnsmasq? Good luck Ed W
Re: [Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
On 07/08/2011 19:22, Sam Crawford wrote: I also wish for the dnsmasq host to have some logic and act upon the response from the server (so the logic couldn't be entirely server-side). The server would return a set of TXT records (indicating the classifications of the domains) if it were classified, and NXDOMAIN otherwise. Based upon these classifications returned from the server and *local* configuration of the host running dnsmasq, the original client would then either be sent back the real response (from the ISP server) or an A record pointing at the dnsmasq host (which would also be running a small webserver with a static page, as you suggested). This basic problem is used a lot in mail blacklisting. I would suggest taking a look at the techniques used for rbldns and I think you will also find some example software which does very high speed lookups into massive rbl lists (if for example you want to benchmark alternative implementations to dnsmasq) Also if necessary you can use Perl (or something else) to create your own resolver which has the necessary logic (ie check here, if no response then check there) http://search.cpan.org/search?query=dnsmode=all Good luck - interested to hear how you solve this! Ed W
[Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
Afternoon, I'm looking to selectively block certain domains using dnsmasq by rewriting responses. I realise this can already be done statically through config files, but I want this to be more dynamic and intend to operate a set of DNS servers that maintains a list of blocked domains (as this will be (a) a large list and (b) be used by numerous clients, so should be centrally managed). So, I'm imaging the query flow would go a little like this: 1) Client in LAN makes A query for www.example.com to dnsmasq 2) dnsmasq forwards query to ISP-hosted resolver 3) dnsmasq receives response from ISP-hosted resolver 4) dnsmasq sends query to special DNS server to check for blocked status 5) dnsmasq receives response from special 'blocked' DNS server 6) If the query to the 'blocked' DNS server dnsmasq returns success (a certain magic number), then return the real response to the user (obtained in step 3), otherwise a spoofed address (e.g. localhost) (Of course, I'd intend to introduce caching in steps 4/5 as dnsmasq does normally for its forwarding functionality). A couple of questions arise: 1) Is this a sensible thing to be doing in dnsmasq? Is there something else that does it natively that I've overlooked? 2) Can anyone point me towards where I should start looking in the source to incorporate the changes? Any advice would be greatly appreciated. I've searched the mailing list archives and couldn't find anything quite like this. Thanks, Sam
Re: [Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
On Sun, Aug 07, 2011 at 03:05:25PM +0100, Sam Crawford wrote: I'm looking to selectively block certain domains using dnsmasq by rewriting responses. I realise this can already be done statically through config files, but I want this to be more dynamic and intend to operate a set of DNS servers that maintains a list of blocked I think the thing to change in this grand scheme is what the set of DNS servers will return. They could be authoritative for blocked domains, and recursive for everything else. In that case no code hacks are necessary; you simply use these servers as the upstream servers for dnsmasq. It's also possible to use dnsmasq in this upstream role, loading a list of blocked domains as a hosts file, SIGHUP (IIRC) when it changes. domains (as this will be (a) a large list and (b) be used by numerous clients, so should be centrally managed). So, I'm imaging the query flow would go a little like this: 1) Client in LAN makes A query for www.example.com to dnsmasq 2) dnsmasq forwards query to ISP-hosted resolver 3) dnsmasq receives response from ISP-hosted resolver 4) dnsmasq sends query to special DNS server to check for blocked status 5) dnsmasq receives response from special 'blocked' DNS server 6) If the query to the 'blocked' DNS server dnsmasq returns success (a certain magic number), then return the real response to the user (obtained in step 3), otherwise a spoofed address (e.g. localhost) What RRtype would this magic number be? My idea also requires no protocol-level hacks. Having done domain blocking before, I would recommend that the address returned for A query point to a special HTTP host with a page telling the user that the domain was blocked, and why. A simple static HTML page (which is also used as the 404 page) would suffice. (Of course, I'd intend to introduce caching in steps 4/5 as dnsmasq does normally for its forwarding functionality). A couple of questions arise: 1) Is this a sensible thing to be doing in dnsmasq? Is there something else that does it natively that I've overlooked? 2) Can anyone point me towards where I should start looking in the source to incorporate the changes? Any advice would be greatly appreciated. I've searched the mailing list archives and couldn't find anything quite like this. DNS-level domain blocking is not a new idea. http://pgl.yoyo.org/as/ was helpful in my project back in '05 or so. OpenDNS implements a domain blocking feature as well. http://www.malwaredomains.com/ may also be of interest. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
