[NCLUG] filtering DNS proxy ?

[Michael Milligan]

Bob Proulx wrote:
> Gabriel Somlo wrote:
> 
>>I'm looking for a DNS proxy that would match requests against some
>>set of rules, and either
>>    - forward the request to a *real* recursive DNS server, or
>>    - return a "fake" response based on the rule matched, or
> 
> 
> Depending upon what you want to do you could set up a zone master or
> slave and then if the server knew the answer it would answer it or if
> not then it would forward it.
> 
> Also I think that for what you are asking that "stub zones" could be
> used.

Probably not, depending on the scope.  Stub zones are a "compact" way of
being a slave, but not pulling down the entire zone contents from the
master, just the NS and SOA records.  They are generally only useful in
a couple of scenarios... in combination with global forwarding where you
need to side-step the forwarding (needed behind firewalls) and
"jump-start" iterative resolution at some point down from the top of the
name space tree (e.g., at company.com level, perhaps inside another
company), or where you are otherwise making a hidden name space "pop-up"
on 10s or 100s of name servers internal to a company where making them
full slave would just kill the master, or require a multi-tier zone
transfer configuration (can you say "brittle"?).

> 
> 
>>    - drop the request on the floor, return some sort of error, etc.
>>depending on the target of the rule.
> 
> 
> This I don't know.  Perhaps with split dns views.  Or perhaps in
> conjuction with linux kernel netfilter iptables rules.

I suppose a custom U32 filter rule would work.  Might take some work to
decode the application-level (DNS) payloads and create a rule, or rules,
that match on the right fields.

Regards,
Mike

-- 
Michael Milligan                                   -> milli at acmeps.com
Acme Professional Services LLC                        970-581-9948