DnsMasq: Happy Happy Joy Joy
The other day I wished for a patched DnsMasq to block Verisign.
Pleased to say it works!
The docs aren't very prescriptive and the new versign-blocker isn't
documented at all, so here's what I did.
1. If you're running Woody or Sid, you'll have dhcp-client. DnsMasq recommends
resolvconf, and dhcp3-client or dhcpcd or ... It's a whole kettle of fish.
2. So, to keep it simple, I patched /etc/dhclient-script:
--- dhclient-script.orig 2003-09-18 22:58:20.000000000 -0700
+++ /etc/dhclient-script 2003-09-18 23:09:11.000000000 -0700
@@ -33,10 +33,12 @@
}
make_resolv_conf() {
+ echo search $new_domain_name >/etc/resolv-up.conf
echo search $new_domain_name >/etc/resolv.conf
for nameserver in $new_domain_name_servers; do
- echo nameserver $nameserver >>/etc/resolv.conf
+ echo nameserver $nameserver >>/etc/resolv-up.conf
done
+ echo nameserver 127.0.0.1 >>/etc/resolv.conf
}
3. Then I patched /etc/dnsmasq.conf:
--- dnsmasq.conf.orig 2003-09-18 23:05:47.000000000 -0700
+++ /etc/dnsmasq.conf 2003-09-18 23:22:10.000000000 -0700
@@ -12,12 +12,15 @@
# to the name of the host running dnsmasq.
#mx-host=
#mx-target=
-#selfmx
+selfmx
#localmx
+filterwin2k
+bogus-nxdomain=64.94.110.11
+bogus-priv
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
-#resolv-file=
+resolv-file=/etc/resolv-up.conf
# Add other name servers here, with domain specs if they are for
# non-public domains.
@@ -40,7 +43,7 @@
# If you want dnsmasq to listen for requests on only one interface
# (and the loopback) give the name of the interface (eg eth0) here
-#interface=
+interface=lo
# Change these if you want dnsmasq to cache any "hostname"
# or "client-hostname" from a dhcpd's lease file
@@ -51,7 +54,7 @@
#domain-suffix=
# Set the cachesize here.
-#cache-size=600
+cache-size=600
# Normally responses which come fomr /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
---------------------------------
I have some tweaker-scripts that I run after a fresh install.
First I patch dhclient-script, down/up eth0, patch dnsmasq.conf, and restart dnsmsaq.
----
Thought I'd share what I figure out with anybody else who wants to block the
Verisign in "the simplest way possible". I'm sure most experts are running
more sophisticated solutions -- but I like simple solutions.
Comments?
-Tom
Reply to: