Topic: DNS override entries for caching server, OR prevent some domains resolving

[FreakWent]

Hi!

What if you want to redirect a called name to another host for some reason; there are a number of various use cases when we might want to block access to various web resources.  Perhaps we want to stop spyware calling out, or block skype, or, for any reason, control the responses that the SME server gives to the clients.

Perhaps I'm testing a website under development while the domain resolves to the current production site -- but it's a vhost so the browser has to make the call with the right domain in the URL.

Perhaps I'm doing some kind of malware dissection or even abusing the privacy and intercepting and/or altering the traffic that others trustingly send over my LAN.  Whatever the reason, the DNS system should be under the control of 'root'.

This is ordinarily done for single clients using the hosts file, but I have over a dozen devices -- managing hosts files accross multiple machines and OS' can be annoying; that's what DNS was invented for!

Note that I can do this very easily using bind; but I don't know how using dnscache/tinydns.

This has been asked for here before:

http://forums.contribs.org/index.php?topic=44713.0

There's a bug here:

http://bugs.contribs.org/show_bug.cgi?id=5462

However, overall, the question has remained unanswered.  Only challenges about the reasons arise when people ask how to do these things.

Someone associated with the project knows exactly how to do this.  Perhaps those people don't read the forums, I don't know.  SME Server has always surprised me with its gap between the technical complexity and obvious talent visible in the product on one hand, and the generally defensive responses found on the forums to technical questions of all kinds.

Also note--I'll settle if I have to for SME Server refusing to resolve some domains.

Anyway, if someone does know how to do this, please let me know.  At the moment I don't even know if it's tinydns or dnscache that I should be looking at, or if they're the same thing.

Thanks in advance!

Note: It might of course be impossible, or at least hard.  It's not designed in as a feature:

"a new recursive resolver that applies strict security rules about how who it queries, and what parts of the answers it will use. Thus was born dnscache. It is _only_ a recursive resolver; unlike BIND it never returns authoritative data, and it never returns data that was not retrieved directly from an authoritative nameserver, whose authority it had proven by tracing the chain of NS delegations from its configured roots."

[mmccarn]

Does this do what you want?

Code: [Select]

db domains set <domain-to-block> domain-remote Nameservers localhost
db domains set <domain-to-fwd> domain-remote Nameservers <DNS_Server_IP>
sv t dnscache
the 'domain-remote' record type in the domains db appears to be accessed in /var/service/dnscache/run but nowhere else (I get no results from "grep -ril domain-remote /etc/e-smith/templates/*" or "grep -ril domain-remote /etc/e-smith/events/* 2>/dev/null"), so I think the above command simply adds the requested entry to the running dnscache configuration and has no other configuration side-effects.

If you specify 'localhost' as the nameserver but don't have the domain defined in tinydns, your query will eventually timeout.


Testing:
On SME Server:
db domains set google.com domain-remote Nameservers localhost
sv t dnscache

On LAN workstation:
nslookup google.com --> fails with timeout

On SME Server:
db domains setprop google.com Nameservers 4.2.2.1
sv t dnscache

On LAN workstation:
nslookup google.com --> succeeds