[Dnsmasq-discuss] using dnsmasq to restrict dns resolution to only certain domains
richardvoigt at gmail.com
richardvoigt at gmail.com
Wed Jul 1 13:45:45 BST 2009
On Tue, Jun 30, 2009 at 11:04 PM, Mandeep
Sandhu<mandeepsandhu.chd at gmail.com> wrote:
>>> Here's my requirement:
>>>
>>> * I have a small device with to communication interfaces - lets call
>>> them if1 and if2.
>>> * if1 is connected to say a PC and if2 is connected to a dsl modem/router.
>>> * I want that the PC host, when using this device, should connect to
>>> only 1 server on the internet (say myserver.net).
>>> * The PC cannot use IP addresses directly as IP routing between the 2
>>> interfaces on the device is disabled.
>>
>> If routing is disabled, then you've got a proxy, right? You won't
>> need to provide any DNS service to clients at all, because they
>> wouldn't be able to use the IP addresses they got back. And the proxy
>> implementation can easily filter or redirect based on hostname or any
>> other part of the URL.
>
> Well you're right...but there's a catch! The client on the PC does NOT have
> proxy support!! :(
>
> So I thought, I'll put a tiny webserver on my device. Clients on the PC can
> request for only say myserver.com...and this gets resolved to the device's
> IP address (on if1) (the device has dnsmasq running on if1). The client can
> then request for services only from this webserver.
>
> I also don't want the client s/w to change when, say the PC gets
> direct connectivity
> to the net w/o my device attached (it's directly connected to a DSL
> modem/router).
>
> In that case, dns requests for myserver.com will be resolved by some public
> (or ISPs) DNS server, which would point to my server on the internet!
> Thats why I wanted to prevent any DNS lookups for domains other than
> myserver.com
You could always not configure dnsmasq with any valid upstream
nameservers. It reads /etc/resolv.conf by default but you can change
that.
You could instead use iptables to rewrite all http connections as
connections to your local server, then any address the client uses
will hit your server. Depends on whether the user can open a browser
or you're only interested in making a specific custom application
work.
>
> Does this make sense?
>
> Thanks,
> -mandeep
>
>>
>>> * If the PC tries to resolve any other public server, it should fail
>>> (something like how we force a dns resolution with the "address="
>>> directive).
>>>
>>> Please pardon me if this sounds crazy! :)
>>>
>>> Any helps really appreciated.
>>>
>>> Thanks,
>>> -mandeep
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>
More information about the Dnsmasq-discuss
mailing list