CNAME record creation for NXFilter DNS

[Jared Scott]

Hey! 

Is it possible to add a CNAME record for the Nxfilter DNS service?

I want to disable SSL search for Google and it requires a cname creation:

https://support.google.com/websearch/answer/186669?hl=en&ref_topic=3427534

A record doesnt work.

Any ideas?

Cheers

Jared 

[Jinhee]

In my memory if you use proxy you can do that without DNS.
So why do you need to add that CNAME record if you already use the proxy?
When you say using A record does it mean you add www.google.com with 216.239.3.20?

Currently I am working on implementing the application control on NxFilter which is our remote user filtering client.
It's already finished actually.
So the next target will be implementing 'forcing safe search' on NxClient.

Jinhee

[Jared Scott]

Hey Jinhee! 

I thought so as well but its not possible if you specify dns_nameservers in squid (mine points to 10.0.0.254 so it goes through nxfilter always, works well). 

As I am typing this (once again lol), I just realized that if nothing is inputted for dns_nameservers, it uses the default nameservers defined in /etc/network/interfaces AND the /etc/hosts file. However, this based does the same thing that your "redirect" option does in DNS and it results in a warning from Google AND a DNS poisoning attack log (and block) in ESET (and probably other decent programs/etc.).

This is easily solved if you allow us to put a name inside that redirection tab. Right now its domain -> ip. Could you modify it so that it accepts name -> name (if this second one is chosen, it can just use the default forwarder (e.g. 8.8.8.8) to do name resolution.

My only other option at this point is to bind nxfilter to a virtual interface on port 53 and then bind something like dnsmasq on another virtual interface on port 53 and then forward both out of eth0 (only have a single NIC) but this is getting real complicated :P

Cheers

Jared

[mark page]

Jared,

I'm using BIND with RPZ to do something similar. I've got a pretty good write up at:

https://sites.google.com/site/thingsoflittleconsequence/home/using-domain-name-service-response-policy-zones-dns-rpz-with-shallalists

Mark

[Jared Scott]

The name -> name would be "google.com" -> nosslsearch.google.com btw :) Google sees that as a VIP and while it tells the user that their administrator has disabled SSL search, it isnt viewed as a DNS poisoning attack on the client side.

[Jared Scott]

Awesome, will check it out, thanks :)

[Jinhee]

Even if I allow you put the domain name instead of IP it doesn't get you what you want.
I need to change it making CNAME response.
This means I need to have type flag for redirection.

The other option is using zone-transfer.
You have it on the other DNS server and NxFilter do the zone-transfer.
Or you can use local_dns, local_domain for that.
NxFitler will bypass google.com to your local DNS server.

And there's a typo. I was talking about NxClient.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Currently I am working on implementing the application control on NxClient which is our remote user filtering client.

[Jinhee]

Hi Mark,

You wrote many things about NxFilter on your site.
Thanks for all the effort. I will link your site from my main page.
So far the best contribution ever.

Thanks,

Jinhee

[Jared Scott]

Awesome, that safesearch enforcement would be awesome!

I understand, actually forgot about the response type. Does nxfilter look at the host cache (i.e. records inside of /etc/hosts for example) before using the default forwarders? Would adding google.com/etc. to be bypassed, allow it to sent to localhost and have something like dnsmasq to supply the CNAME record? (I am just confirming this)

FYI (and for the communities benefit, here is a bash script i found to find the latest IP for nosslsearch.com)

------------------------------------------------------------------------------------------------------------------------

# rebuilds host file with google's non-ssl seach address

# rename the existing hosts file
mv /etc/hosts /etc/hosts.bak

# copy the old hosts file to a new hosts file, minus any lines containing 'google'
grep -v google /etc/hosts.bak > /etc/hosts

# get the latest IP address
IP_RESULT=`nslookup nosslsearch.google.com | tail -n 2 | cut -f 2 -d ":" | cut -f2 -d " "`

#if IP_RESULT is not NXDOMAIN, add the new IP records, otherwise do nothing

if [ "$IP_RESULT" !=  "NXDOMAIN" ]
then
        echo $IP_RESULT www.google.co.uk >> /etc/hosts
        echo $IP_RESULT www.google.com >> /etc/hosts
fi

------------------------------------------------------------------------------------------------------------------------

Also, I am not too sure how its implimented but if I browse to http://safebrowsing-cache.google.com/, it seems to turn on safesearch for you. It also turns off SSL :O

I am thinking of redirecting google.com -> http://safebrowsing-cache.google.com/ instead of nosslsearch.com unless i am missing something.

Thoughts?

Cheers

Jared

[Jinhee]

No we don't look into /etc/hosts file.
If I do that it will be Unix dependent.

Jinhee

[mark page]

You may end up in a loop, depending on which upstream servers you use for DNS ;-)

[Jared Scott]

Hey! 

Ok so the best option would be clients -> dnsmasq (eth0:1) -> nxfilter (eth0:0) -> client (for the resolution). That way I can also add a proper CNAME without all this trickery :P

[Jared Scott]

And nxfilter will use upstream DNS servers (such as 8.8.8.8) of course, as per the default setup.