[Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking

Sam Crawford samcrawford at gmail.com
Sun Aug 7 15:05:25 BST 2011


Afternoon,

I'm looking to selectively block certain domains using dnsmasq by
rewriting responses. I realise this can already be done statically
through config files, but I want this to be more dynamic and intend to
operate a set of DNS servers that maintains a list of blocked domains
(as this will be (a) a large list and (b) be used by numerous clients,
so should be centrally managed). So, I'm imaging the query flow would
go a little like this:

1) Client in LAN makes A query for www.example.com to dnsmasq
2) dnsmasq forwards query to ISP-hosted resolver
3) dnsmasq receives response from ISP-hosted resolver
4) dnsmasq sends query to special DNS server to check for blocked status
5) dnsmasq receives response from special 'blocked' DNS server
6) If the query to the 'blocked' DNS server dnsmasq returns success (a
certain magic number), then return the real response to the user
(obtained in step 3), otherwise a spoofed address (e.g. localhost)

(Of course, I'd intend to introduce caching in steps 4/5 as dnsmasq
does normally for its forwarding functionality).

A couple of questions arise:

1) Is this a sensible thing to be doing in dnsmasq? Is there something
else that does it natively that I've overlooked?
2) Can anyone point me towards where I should start looking in the
source to incorporate the changes?

Any advice would be greatly appreciated. I've searched the mailing
list archives and couldn't find anything quite like this.

Thanks,

Sam



More information about the Dnsmasq-discuss mailing list