[Dnsmasq-discuss] DNS whitelist
Albert ARIBAUD
albert.aribaud at free.fr
Wed Sep 3 09:34:09 BST 2014
Hi Craig,
Le Wed, 3 Sep 2014 16:32:31 +1000, Craig McQueen
<craig.mcqueen at beamcommunications.com> a écrit :
> I'd like to use dnsmasq to do a DNS whitelist. That is, I want to block
> almost all DNS queries, but allow domains in a small whitelist to be
> forwarded through to the upstream server (specified in the resolv file).
>
> I've seen people doing a whitelist with dnsmasq by:
> * Using 'no-resolv' option to block most DNS queries.
> * Using an explicit 'server' option to specify the DNS server for
> permitted domains.
>
> But that won't work for me, because I need to use the resolv file
> mechanism to get the upstream DNS server.
>
> Any suggestions?
If the upstream server is never hosted on localhost, then you could
build a two-stage chain:
1) a first dnsmasq instance which uses /etc/resolv.conf (and thus does
not filter requests), running on a nonstandard port and responding
only to requests from localhost;
2) a second dnsmasq instance, having 'no-resolv' and/or 'server'
options, and having the first instance as its upstream server.
You could probably mitigate the increased resource consumption by
fine-tuning the two instances' caches -- maybe even not caching at all
in the first instance as it basically only serves as a relay.
> Thanks,
> Craig McQueen
Amicalement,
--
Albert.
More information about the Dnsmasq-discuss
mailing list