Build or embed a DNS server to filter allowed external hostnames #7

achimnol · 2017-07-27T07:13:56Z

It is non-trivial to manage outbound security rules using IP addresses, as many external websites rely on load balancers and volatile IP addresses on top of clouds.

Let's build a DNS server that provides transparent access to whitelist domains (e.g., github.com) from user kernel sessions but returns "unresolved" results for other domains.
This would not be perfect but will provides a good starting point.

achimnol · 2017-07-27T08:05:31Z

I've found a way to do this: http://www.teknynja.com/2009/06/to-protect-and-surf-dnsmasq-and.html

dnsmasq.conf:

domain-needed
bogus-priv
no-resolv

server=/google.com/172.31.0.2
server=/github.com/172.31.0.2
...

Above config on an Ubuntu container can be tested with dig google.com @127.0.0.1 after installing/configuring dnsmasq package.

NOTE: When run inside docker, we need to add one more line to its config: user=root to avoid "dnsmasq: setting capabilities failed: Operation not permitted" error.

We could let Docker use our custom dnsmasq server.

achimnol added the enhancement label Jul 27, 2017

achimnol changed the title ~~Build a DNS server to filter allowed external hostnames~~ Build or embed a DNS server to filter allowed external hostnames Jul 27, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build or embed a DNS server to filter allowed external hostnames #7

Build or embed a DNS server to filter allowed external hostnames #7

achimnol commented Jul 27, 2017

achimnol commented Jul 27, 2017 •

edited

Loading

Build or embed a DNS server to filter allowed external hostnames #7

Build or embed a DNS server to filter allowed external hostnames #7

Comments

achimnol commented Jul 27, 2017

achimnol commented Jul 27, 2017 • edited Loading

achimnol commented Jul 27, 2017 •

edited

Loading