[Dnsmasq-discuss] DNS whitelist

Albert ARIBAUD albert.aribaud at free.fr
Wed Sep 3 09:34:09 BST 2014


Hi Craig,

Le Wed, 3 Sep 2014 16:32:31 +1000, Craig McQueen
<craig.mcqueen at beamcommunications.com> a écrit :

> I'd like to use dnsmasq to do a DNS whitelist. That is, I want to block 
> almost all DNS queries, but allow domains in a small whitelist to be 
> forwarded through to the upstream server (specified in the resolv file).
> 
> I've seen people doing a whitelist with dnsmasq by:
> * Using 'no-resolv' option to block most DNS queries.
> * Using an explicit 'server' option to specify the DNS server for 
> permitted domains.
> 
> But that won't work for me, because I need to use the resolv file 
> mechanism to get the upstream DNS server.
> 
> Any suggestions?

If the upstream server is never hosted on localhost, then you could
build a two-stage chain:

1) a first dnsmasq instance which uses /etc/resolv.conf (and thus does
not filter requests), running on a nonstandard port and responding
only to requests from localhost;

2) a second dnsmasq instance, having 'no-resolv' and/or 'server'
options, and having the first instance as its upstream server.

You could probably mitigate the increased resource consumption by
fine-tuning the two instances' caches -- maybe even not caching at all
in the first instance as it basically only serves as a relay.

> Thanks,
> Craig McQueen

Amicalement,
-- 
Albert.



More information about the Dnsmasq-discuss mailing list