Download your favorite Linux distribution at LQ ISO.
Go Back > Blogs > Musings on technology, philosophy, and life in the corporate world
User Name


Hi. I'm a Unix Administrator, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: Unix.
Rate this Entry

DNS fun

Posted 07-06-2014 at 02:17 AM by rocket357

I've configured probably the coolest, most complex DNS configuration I've bothered to setup in recent times. I say complex because it leverages unbound and pf to route dns traffic to other programs (nsd, dnscrypt-proxy, tor) and I say coolest because DNS traffic is "filtered" to the right places (so you don't end up with, say, a tor device leaking DNS traffic, or my wife having to wait crazy amounts of time for a simple DNS request).

I started off with the basics...what exactly do we (my family) resolve often? The list I came up with (very short list of the very top sites):

1) Google
2) Amazon
3) Facebook
4) LinkedIn
5) Twitter
6) TwitchTV

I'd like to ensure that traffic to these sites is routed "normally", so I first set unbound up to use for those domains. Pretty simple:

    name: ""
Rinse, repeat for other domains. I also wanted to ensure the actual traffic to these sites is routed appropriately, so I setup a directory in /etc to hold pf include files. I had a previous configuration with "netconf" as a directory in /etc/, so I extended that to have "netblocks" underneath it to hold the pf table files. I will import these tables into pf, then route based on them. I wrote a simple script to pull the list of IP ranges owned by a company:


siteblocks() {
    ipblock="`whois -h !gAS$AS | grep '/' | tr ' ' ','`"
    echo -n "table <$SITE> const { " > /etc/netconf/netblocks/$
    echo "$ipblock" >> /etc/netconf/netblocks/$
    echo "}" >> /etc/netconf/netblocks/$

for site in google\:15169 amazon\:16509 twitter\:13414 facebook\:32934 linkedin\:20049 twitchtv\:46489; do
    as=`echo $site | cut -d':' -f2`;
    site=`echo $site | cut -d':' -f1`;
    siteblocks $site $as;
This builds out /etc/netconf/netblocks/{google,amazon,facebook,etc...}.com, containing pf table statements that can be included in my main pf.conf for filtering. You can lookup ASNs quite easily from a site like the ultratools site. A relevant pf entry would look like:

pass in on vlan2200 proto {tcp} to { <amazon>, <facebook>, <google>, <twitter>, <twitchtv>, <linkedin> }
With that one line, all tcp traffic to those sites is routed normally via kernel route tables, and the following rules (which utilize tor, or dnscrypt-proxy, or whatever) operate as the default.

Next, I wanted to ensure that other domains were resolved "discreetly" (querying for Google or Facebook discreetly then connecting to them directly is like drinking a diet soda with your Big Mac and fries...why bother with the overhead of tor or dnscrypt-proxy if you're going to connect to facebook?). To do so, I configured two dnscrypt-proxy instances, one listening on port 39 and the other on port 40 (I lifted that from a blog post I was reading, if I manage to locate the site again I'll credit it properly =). Unbound is then set to route by default to the dnscrypt-proxy instances with a '.' forward-zone. Something like:

    name: "."
Next, I wanted to configure local dns to be served for my home network, so I configured nsd (complete with Hitchhiker's Guide theme after my printer started showing signs of depression (yup, he's Marvin)). nsd listens on 5353 on, so unbound simply forwards both forward and reverse for my local domain to nsd.

I have a few vlans that are configured to use tor, so I knew I'd best handle those dns queries carefully. Since I have a default '.' forward zone setup in unbound, I figured pf could help a bit here (also, pf could be configured to force traffic to the tor proxy running on my firewall, and drop any traffic that might leak). The relevant torrc entries:

TransPort 9040
DNSPort 9053
And the relevant pf configuration:

pass in quick on vlan2000 proto {tcp,udp} from any to any port 53 rdr-to port 9053
block in quick on vlan2000 from any to # no-touchie local!
pass in quick on vlan2000 proto {tcp} rdr-to port 9040
block in on vlan2000
Voila, vlan2000 can't do anything but tor, whereas dns for vlan2200 (and others) are routed normally for known big sites and discreetly for other sites.
Posted in Uncategorized
Views 1054 Comments 1
« Prev     Main     Next »
Total Comments 1


  1. Old Comment
    Ended up dropping nsd, as I don't really need CNAMES and such...just basic A records and PTRs. I'm running my static local data in unbound, which has limited authoritative capabilities. Really nice for a SOHO-type setup.

    The only hurdle I haven't solved is zone-based responses (i.e. if a machine on vlan1103 asks for the ip of fw.j3z.local (my local domain), it will get back the same ip as a machine on vlan2102. I could either let them all hit the firewall on the same (probably management) IP, or better yet I could define the "management" IP of the firewall and allow traffic only from trusted vlans to hit that IP.

    Still, seems hackish. Perhaps nsd will gain split horizon capabilities to provide views as such, but until then I suppose I'll limit the firewall to a single management and access that cross-vlan. Meh.
    Posted 07-10-2014 at 06:50 PM by rocket357 rocket357 is offline


All times are GMT -5. The time now is 06:26 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration