36

At work we use OpenDNS and it has wrongly blocked irc.freenode.net for malware. How can I make sure that any request for *.freenode.net goes to 8.8.8.8 and 8.8.4.4 (Google's DNS).

I tried doing this by fiddling with resolv.conf on Ubuntu, but I wasn't able to get too far. Also, is there an easy way to do this for Mac and Windows systems (I have a few colleagues using those OSes and they'd like to use IRC as well).

vivin
  • 493
  • 1
  • 4
  • 11
  • 5
    Be careful - attempting to get around security controls can get one escorted out of some companies. Also, it is possible other DNS servers are blocked. – uSlackr May 23 '12 at 17:09

7 Answers7

42

This can't be done with the standard DNS resolution provided by *nix (and Windows AFAIK), you need your own DNS server to do this. On *nix dnsmasq is the best choice for this, and you can either run this on every workstation or run it on a server and configure all the workstations to use this.

/etc/resolv.conf:

nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 208.67.220.220

/etc/dnsmasq.conf:

server=/freenode.net/8.8.8.8
server=/freenode.net/8.8.4.4
mgorven
  • 30,615
  • 7
  • 79
  • 122
  • 3
    This can absolutely be done using the standard DNS resolution provided by *some* operating systems. Just not by Linux. – larsks May 23 '12 at 17:00
  • To control which interface to use I added the ```@vpn0``` at the end of the DNS servers. This can be useful to use it only when a VPN is up. – Zioalex Apr 26 '19 at 13:27
18

Linux does not support the use of domain-specific DNS servers via resolv.conf. You could potentially work around this by running a caching nameserver (such as BIND or dnsmasq) locally and then configuring explicit forwarders for each domain.

Under OS X, this sort of setting is relatively easy using the scutil command. The common use case for this configuration is to forward DNS requests for a VPN connection to VPN-specific DNS servers, so you'll find this discussed often in concert with, e.g., OpenVPN. This document talks about the scutil command as does this, and a Google search for openvpn and scutil will yield more results.

I'm not sure about Windows. You could presumably use the local DNS server solution for all three platforms if you needed to.

Community
  • 1
larsks
  • 43,623
  • 14
  • 121
  • 180
  • 1
    Is this still true in the `systemd-resolved` world? (Yes I realize your answer is 7 years old) – Pointy May 01 '19 at 20:21
  • 4
    @Pointy It seems recent versions of systemd-resolved can handle this: https://gist.github.com/brasey/fa2277a6d7242cdf4e4b7c720d42b567#solution – corford Dec 06 '19 at 20:46
  • 1
    Windows can do it using NRPT rules: `Add-DnsClientNrptRule -Namespace "example.com" -NameServers "203.0.113.1"` – Guto Andreollo Jan 25 '20 at 18:07
14

Under OS X you can use files like /etc/resolver/example.com with content:

nameserver 172.16.5.5

to forward dns requests for *.example.com to 172.16.5.5

http://hints.macworld.com/article.php?story=2004062902195410

Alek_A
  • 317
  • 2
  • 9
10

You can do it on Windows with PowerShell:

Add-DnsClientNrptRule -Namespace "pqr.com" -NameServers "10.0.0.1"

Reference: https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=win10-ps

aoetalks
  • 288
  • 4
  • 7
7

It's possible to use firejail --dns option for this. For example:

firejail --dns=8.8.8.8 firefox

This way dns server can be set per application instead of per domain. So it might be a better solution in some circumstances.

mrlotfi
  • 71
  • 1
  • 3
5

I did this on Fedora by installing a local DNS server.

first install bind:

sudo dnf install bind

step 1: append a line to /etc/named.conf (as root):

include "/etc/named/freenode.net.conf";

step 2: create the zone file /etc/named/freenode.net.conf (as root):

zone "freenode.net" {
    type forward;
    forwarders { 8.8.8.8; };
};

now restart named:

sudo service named restart

now reconfigure your lan settings to use 127.0.0.1 as the DNS server, rather than the DCHP-allocated hosts.

Richard Hodges
  • 151
  • 1
  • 2
1

If you are using Windows DNS Manager for most of your domain when accessed locally, but want to delegate one host (or for a few, if you repeat the steps below) to an external DNS provider, then you can do the following:

  • First delete any previous local A or CNAME record for the hostname you are going to delegate
    • These are found in the main window for 'DNS Manager/dc-name/Forward Lookup Zones'
  • Then right-click on your forward lookup zone, e.g. 'DNS Manager/dc-name/Forward Lookup Zones/foo.com', and select 'New Delegation...'
  • Fill in the delegated domain for the single host you want to delegate, e.g. mail.foo.com
  • In the next step, populate one on more nameserver names, each with one or more IP addresses (IP addresses are required here, and I assume this means they are not dynamically looked up in future, unfortunately)
    • You can look up these values, e.g. on an external Linux machine, using: whois foo.com (note, not mail.foo.com) to find the nameserver(s) (you should look or grep for lines starting with Name Server); then host ns1.mydnscompany.com (for example) to find the ip address(es) of the name server(s)
  • Finish the wizard, everything should now be set up
    • As normal, you may need to run ipconfig /flushdns on a client if you want to see the changes immediately
    • If the delegation does not show up in DNS Manager (immediately below the forward lookup zone in the navigation tree), even after right-click 'Refresh' to refresh the DNS Manager view, try re-checking the first step
MikeBeaton
  • 173
  • 1
  • 5