[Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking

/dev/rob0 rob0 at gmx.co.uk
Sun Aug 7 18:22:20 BST 2011

On Sun, Aug 07, 2011 at 03:05:25PM +0100, Sam Crawford wrote:
> I'm looking to selectively block certain domains using dnsmasq by 
> rewriting responses. I realise this can already be done statically 
> through config files, but I want this to be more dynamic and intend 
> to operate a set of DNS servers that maintains a list of blocked

I think the thing to change in this grand scheme is what the set of 
DNS servers will return. They could be authoritative for blocked 
domains, and recursive for everything else. In that case no code 
hacks are necessary; you simply use these servers as the upstream 
servers for dnsmasq.

It's also possible to use dnsmasq in this upstream role, loading 
a list of blocked domains as a hosts file, SIGHUP (IIRC) when it 

> domains (as this will be (a) a large list and (b) be used by 
> numerous clients, so should be centrally managed). So, I'm imaging 
> the query flow would go a little like this:
> 1) Client in LAN makes A query for www.example.com to dnsmasq
> 2) dnsmasq forwards query to ISP-hosted resolver
> 3) dnsmasq receives response from ISP-hosted resolver
> 4) dnsmasq sends query to special DNS server to check for blocked status
> 5) dnsmasq receives response from special 'blocked' DNS server
> 6) If the query to the 'blocked' DNS server dnsmasq returns success (a
> certain magic number), then return the real response to the user
> (obtained in step 3), otherwise a spoofed address (e.g. localhost)

What RRtype would this "magic number" be? My idea also requires no 
protocol-level hacks.

Having done domain blocking before, I would recommend that the 
address returned for "A" query point to a special HTTP host with a 
page telling the user that the domain was blocked, and why. A simple 
static HTML page (which is also used as the 404 page) would suffice.

> (Of course, I'd intend to introduce caching in steps 4/5 as
> dnsmasq does normally for its forwarding functionality).
> A couple of questions arise:
> 1) Is this a sensible thing to be doing in dnsmasq? Is there 
> something else that does it natively that I've overlooked?
> 2) Can anyone point me towards where I should start looking in
> the source to incorporate the changes?
> Any advice would be greatly appreciated. I've searched the mailing
> list archives and couldn't find anything quite like this.

DNS-level domain blocking is not a new idea. http://pgl.yoyo.org/as/ 
was helpful in my project back in '05 or so. OpenDNS implements a 
domain blocking feature as well. http://www.malwaredomains.com/ may 
also be of interest.
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

More information about the Dnsmasq-discuss mailing list