I am figuring a way to whitelist which domains will resolve.
By
Robin Millette
on July 15, 2007
The blacklist (/etc/hosts) ain't cutting it, I need something more drastic. DNS (and sysadmin) have never been my thing though, if you have any tips, please do share.
Why? Desperately trying to cut down on my internet usage. This is not a drill.
3
12
20.0% 80.0%
Embed Claim
Make a related claim
Similar claims
- 2-1 DNS server for 3-d level domain is never a part of server script hosted at corresponding 2-d level domain.
- 34-16 I own one web domain
- 27-17 I own 3 (or more) web domains
- 5-20 I own 10 (or more) web domains
- 3-0 If 3-d level domain 333.222.com isn't registered - HTTP request it does not achieve server script at 222.com domain.
Discussion (12)
Use a local dns server such as dnsmasq.
They let you do all kinds of ns goodness.
Been looking into dnsmasq, exactly. From what I could gather, I'm gonna have to write a nice little patch for it but I'm too sleepy for that at the moment. In a couple of hours, then. Or maybe there's an easier way I'm missing?
There is no escape Robin.
You have to cut the hard line. Moving in the quicksand only makes you sink further into it.
I'm digging into the c source as we speak. (Well, I'm also simultaneously claiming and listing to zimmerman on zphone and falling asleep...)
If you disable dns entirely then *only* the hosts in /etc/hosts will resolve. So, just put entries in there for the few hosts you want to connect to, using the correct addresses (instead of putting in incorrect addresses for hosts you don't want to connect to). There's your whitelist.
If you have dnsmasq then all you have to do is set the forwarder to something that doesn't resolve upstream and then add a server line for every DNS server you want to serve to a DNS server that does resolve upstream.
server=/jyte.com/10.0.0.2
server=/bbc.com/10.0.0.2
etc...
setting the forwarders to something that doesn't resolve is left as an exercise for the reader.
@Wim, marvellous! Why didn't I think of that!!
@Nic, that's blacklisting... but thank's for trying. I mentionned before that's what I was doing, but it's not been enough, evidently.
Ermmm... no it's not.
I think I just said the same as wim... but mine was a dnsmasq method.
Using dnsmasq works better because it's intelligent about domains. So you could allow the whole of the BBC say:
bbc.co.uk
because you read the news and the weather but not of anything else.
hmm, I misread that. I got the same suggestion from Simon too, won't have to hack the code. My brain a fried today.
It's a lot more work though because to do the dnsmasq one you need three resolution sources.
1. dnsmasq itself, presumably on your local machine
2. a caching DNS that knows about your network but nothing else (for dnsmasq to use as a forwarder)
3. a DNS for the rest of your network that does know about everything else
I have a feeling that you may, with dnsmasq's help, be able to reduce this to two. It's a powerful little program.
It's kindof tangential, but we're having to fool around with geo ip mapping at work.