• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

DNS search order...

N

nightowl

Golden Member
Is there a way in Linux or Unix to have a DNS server to search the hosts file before making a DNS query? Basically, what I want to do is have a list of sites in hosts file and when a DNS query is made for one of the listed sites the DNS server will return the answer that is in the hosts file rather than asking another DNS server for the answer.
 
I think that is the default setup for linux. The first thing that it looks in is the /etc/hosts file. If you put 10.0.0.2 www.google.com in their then when you try to ping....

Otherwise the order of DNS look up is dictated by the /etc/resolv.conf files...
 
But the OP appears to be asking about the BIND server itself, not its clients. And I'm 99% sure that BIND will never touch /etc/hosts, but I can't find definite evidence for it right now. Doesn't really matter, though - you should be able to accomplish the same thing by moving those mappings out of /etc/hosts and into a zone file. BIND will answer from zones that it is (or believes itself to be) authoritative for before it queries other servers.
 
Yup bind doesn't look at your hosts file, just make a zone for the domains you want it to answer for. A bit of a pain if its a large list of domains though I guess....
 
I was trying to get away from having to make zone for the custom DNS entries by using the hosts file. If I do make a DNS zone do I have to make a different zone for each different domain or can I dump everything into one zone. Basically what I am trying to make is a DNS server as a content filter and any domain that I want to block I can make a entry in DNS or the hosts file with a adddress of 127.0.0.1 or some other null address. This way I can stay away from using a proxy server, but it is looking more and more like I will have to go that way.
 
Originally posted by: nightowl
If I do make a DNS zone do I have to make a different zone for each different domain or can I dump everything into one zone. Basically what I am trying to make is a DNS server as a content filter and any domain that I want to block I can make a entry in DNS or the hosts file with a adddress of 127.0.0.1 or some other null address.
Click to expand...
Good content filtering will pretty much require something like Dan's Guardian with a proxy server - you'll want page analysis as well as DNS blacklisting, and DNS tricks alone won't get you that. If you're just trying to block a handful of specific sites (like P2P sites or similar), then the DNS route would be easier. I'd whip up a little script that would generate zone files from a text file list so that you can easily keep your info in one place.

Edit: D'oh, quoted it but didn't answer the question. Yes, each domain you want to filter will require a separate zone file.
 
I have looked at DansGuardian and I will probably will have to go with that or something like it. I was using the blacklist provided by Dans as the basis of the sites that I wanted to block. I was just hoping to get away from having to use a proxy server.
 
But what makes Dans Guardian good is precisely that it goes beyond blacklisting by analyzing pages for restricted content. If you're at all serious about content filtering, the blacklist is not going to be enough. FWIW, Dans Guardian appears to do a pretty darn good job of filtering - better than the commercial offerings I've tested. It's worth setting up the proxy for.
 
If you want are trying to use Rogue DNS as a kind of content filter, consider putting in a second DNS server with all the rogue entries you need to. Leave your primary DNS server "clean", but have it forward to the rogue server. I would suppose instead of hijacking the entire domain you could always use ALIAS CNAME records . E.G., when someone tries to go to www.match.com, you have that as an alias for an internal warning web page. ( " Get back to work and do your f*cking dating at home on your own time " ) 🙂

 
The replies discuss a way of avoiding the initial issue entirely. I posted my reply in case the OP wanted to stay with his original plan and didn't want to run a separate DNS server.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top