hooking DNSMASQ requests

[storkinsj]

Hi All,
This is a bit of a weird configuration and I am not sure if it can be done.

Goal:
-Part A: If a DNS request for a host matches a list of host names, pass request to upstream DNS server
-Part B: If it doesn't match one of those host names, I want to send it to a sink-hole

Part B is doable with the --address directive.
Part A I can't figure out. If a request gets to dnsmasq it will check its host table and if it's not in there, it will forward to upstream or use the --address default IP. The challenge is I know the hostnames, but need the upstream server to discover the IP address.

The only thing I can guess I can do is prefetch the IP addresses from the hosts in the whitelist from the upstream server and then push those into dnsmasq at runtime. The challenge is, in my environment those ip addresses can change. So ideally I would ALWAYS ask the upstream server for information related to those hosts.

I realize this is not a normal configuration so I appreciate the help. Please let me know if there is a better section of snbforums for this sort of question.

In effect, If I could be "called back" (hooked) for each dns request and let the daemon know if the request should be serviced or not.

Thanks!

 

[drinkingbird]

Hi All,
This is a bit of a weird configuration and I am not sure if it can be done.

Goal:
-Part A: If a DNS request for a host matches a list of host names, pass request to upstream DNS server
-Part B: If it doesn't match one of those host names, I want to send it to a sink-hole

Part B is doable with the --address directive.
Part A I can't figure out. If a request gets to dnsmasq it will check its host table and if it's not in there, it will forward to upstream or use the --address default IP. The challenge is I know the hostnames, but need the upstream server to discover the IP address.

The only thing I can guess I can do is prefetch the IP addresses from the hosts in the whitelist from the upstream server and then push those into dnsmasq at runtime. The challenge is, in my environment those ip addresses can change. So ideally I would ALWAYS ask the upstream server for information related to those hosts.

I realize this is not a normal configuration so I appreciate the help. Please let me know if there is a better section of snbforums for this sort of question.

In effect, If I could be "called back" (hooked) for each dns request and let the daemon know if the request should be serviced or not.

Thanks!

Set your default DNS to a dummy one. Then add forwarders with a valid upstream server for the domains you want to allow. If you're looking to do it for specific hosts and not a domain or subdomain, don't think that would work, never tried though.

 

[storkinsj]

I wish I could do this by domain. It's all one domain. I'll just have a list of hosts.

 

[drinkingbird]

I wish I could do this by domain. It's all one domain. I'll just have a list of hosts.

Depending how many hosts it is, the firewall network services filter and/or parental controls might be able to do what you need. Won't block DNS but will block connectivity to anything not specified.

 

[storkinsj]

Thanks-
Yes I am focused on actual east-west/intranet traffic. So looking to block local host name resolution unless it's going to the blessed hosts. Of course in a guest network this is not an issue but assuming a network without perfect east/west firewalls configured. Really trying to hook DNS.

Maybe looking at having to write the resolver or use a more flexible system than dnsmasq, which tends to try to do many things (dhcp, tftp, pxe, etc etc)

 

[sfx2000]

Maybe looking at having to write the resolver or use a more flexible system than dnsmasq, which tends to try to do many things (dhcp, tftp, pxe, etc etc)

unbound is available - have you considered using it vs. dnsmasq for DNS?

 

[storkinsj]

Will definitely have a look thank you!

DNSMASQ seems more like "busybox" than a focused dns server because of all that it does.

Thanks for the resource.

 

[sfx2000]

DNSMASQ seems more like "busybox" than a focused dns server because of all that it does.

I consider dnsmasq similar to dropbear - very capable and a good complement to busybox...

In small footprint linux, they're the trifecta of network utils - add in hostapd and appropriate interfaces, and you have a router..

 

[drinkingbird]

Thanks-
Yes I am focused on actual east-west/intranet traffic. So looking to block local host name resolution unless it's going to the blessed hosts. Of course in a guest network this is not an issue but assuming a network without perfect east/west firewalls configured. Really trying to hook DNS.

Maybe looking at having to write the resolver or use a more flexible system than dnsmasq, which tends to try to do many things (dhcp, tftp, pxe, etc etc)

OK when you said "upstream" I assumed internet.

The URL Filter in the firewall does add rules to block DNS resolution for specific hosts (or allow it for only certain hosts) however it puts the rules in the FORWARD chain. My guess is the dns on the router would hit the INPUT chain instead. May be worth testing though.

 

[storkinsj]

Thanks for the tip on unbound. This seems to do exactly what I want:

GitHub - ohitz/unbound-domainfilter: Filter domains resolved by unbound

Filter domains resolved by unbound. Contribute to ohitz/unbound-domainfilter development by creating an account on GitHub.

github.com