10

I use dnsmasq as a whitelist on my network. My dnsmasq.conf file looks like this:

bogus-priv
domain-needed
no-resolv

server=/stackexchange.com/8.8.8.8
#etc...

I would like to be able to block a subdomain, for example:

server=/meta.stackexchange.com/0.0.0.0

I also tried:

address=/meta.stackexchange.com/0.0.0.0

And for both I tried substituting 127.0.0.1 for 0.0.0.0.

Unfortunately this doesn't seem to work. How can I block a specific subdomain while allowing the rest of the domain in the config file?

Big McLargeHuge
  • 3,044
  • 11
  • 35
  • 49

3 Answers3

6

With dnsmasq this works actually : 

address=/meta.stackexchange.com/127.0.0.1

Did you restart dnsmasq after the change ?

For details on setting up dnsmasq see this one.

Note: As others pointed out for this you could just use /etc/hosts 

127.0.0.1    meta.stackexchange.com
Community
  • 1
lemonsqueeze
  • 1,475
  • 15
  • 15
  • 2
    To actually block the site you should omit the IP address part: `address=/example.com/` This will cause dnsmasq return NXDOMAIN as if the domain wouldn't exist. – Calmarius Apr 21 '18 at 09:57
  • I have downvoted this answer because it will leak IPv6 queries ([example](https://unix.stackexchange.com/a/648264/58393)). – basic6 May 05 '21 at 16:31
5

Please do not hijack the DNS. This interferes with the low-level architecture of the Internet. There are nearly no ethical applications of DNS hijacking that would not be better served by a firewall appliance or program.

If you want to prevent the resolution of a zone to an address, you can easily edit the client hosts file.

While dnsmasq is capable of serving the type of 'spoofed' DNS results you describe, the dnsmasq server can easily be circumvented by an end-user or malicious attacker accessing the client host. This type of DNS hijacking is therefore nearly incapable of providing any benefit to security.

Again, a properly configured firewall appliance would likely serve you much better if the goal is blocking clients from accessing malicious or untrusted remote hosts unintentionally. A trendy solution is OpenWRT on a Rasperry Pi, as described in this article.

taddy hoops
  • 240
  • 2
  • 7
  • +1 for L7 filtering with netfilter – Marcel May 28 '14 at 16:51
  • Editing clients' host files in this case is not possible/practical. How could the server be circumvented by an end user or a malicious attacker? As for using iptables/netfilter, I've looked into that in the past and the problem has always been using domain names in firewall rules - which are resolved at start up and subject to change. I do have an iptables rule to drop DNS queries though. – Big McLargeHuge May 29 '14 at 23:27
  • 7
    It is unfortunate that this received the bounty automatically, even though it didn't answer the question. – Big McLargeHuge Jun 02 '14 at 19:05
  • 8
    Mmh this are gold rules if the DNS server is public, on Internet. If Dave is managing an internal server, their LAN is like my garden, with my policies, my reasons, my priorities. I think the question is legitimate as is. – Massimo Aug 17 '16 at 15:56
  • The question is certainly legitimate, and so is the position that configuring dnsmasq to lie is more likely a nuisance unless the firewall is already blocking DNS queries to the internet. Suppose I have a firewall that blocks DNS packets from outside the local network, unless my firewall also blocks unknown protocols and encrypted traffic, you can just VPN out. A dynamic firewall is more effective: look up the IP addresses that the domain name resolve to and then drop all traffic. Making dnsmasq lie is certainly advantageous if you're going to ARP spoof and try to session hijack. – taddy hoops Aug 22 '17 at 19:23
  • @insig This approach does not work when you want to block a security-averse application such as TeamViewer. Blocking DNS queries to the Internet is easy. Blocking outbound port 443 is not an option. Unknown protocols and encrypted traffic is not a big concern in my case. – UncleCarl Jan 27 '20 at 23:05
1

You can block a website with host record:

host-record=meta.stackexchange.com,127.0.0.1

or a cname:

cname=meta.stackexchange.com,blackhole.com

But really both of these are pretty ineffective ways to block a website. I could go to my /etc/hosts file and fix the issue.

drs
  • 5,363
  • 9
  • 40
  • 69
Jonathan S. Fisher
  • 200
  • 1
  • 2
  • 13
  • "I could go to my /etc/hosts file and fix the issue." You'd have to get the IP address first, which you wouldn't be able to on this network. – Big McLargeHuge May 29 '14 at 15:14
  • 1
    not quite... `nslookup meta.stackexchange.com 8.8.8.8` will bypass your default DNS server. – Jonathan S. Fisher May 29 '14 at 18:49
  • Ah, I forgot to mention. I have an iptables rule to drop DNS queries. – Big McLargeHuge May 29 '14 at 23:26
  • Neither of these work. cname because `There are significant limitations on the target; it must be a DNS name which is known to dnsmasq from /etc/hosts (or additional hosts files), from DHCP, from --interface-name or from another --cname. If the target does not satisfy this criteria, the whole cname is ignored.` [(man)](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) I'm not sure why `host-record` doesn't work. – Big McLargeHuge May 30 '14 at 01:16
  • `host-record` works for me... strange. – Jonathan S. Fisher May 30 '14 at 14:32
  • Actually that just gave me an idea... on the dnsmasq server, dnsmasq will read `/etc/hosts`. Forget the fancy stuff I have in my answer and just try that. – Jonathan S. Fisher May 30 '14 at 14:33
  • That's exactly what I did after I tried `host-record` and `cname`. Worked like a charm! As for why `host-record` works for you, are you sure you're adding a subdomain of an already whitelisted domain? (btw edit your answer and I'll give you the bounty.) – Big McLargeHuge May 30 '14 at 15:42