1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Circumvention

Discussion in 'Tomato Firmware' started by manderson, May 12, 2010.

  1. manderson

    manderson Addicted to LI Member

    I'm curious if anyone has any insight into dealing with DNS circumvention.

    In particular, I have Tomato setup with OpenDNS (Intercepting Port 53 & dnsmasq set with strict-order). So when I try to open a domain/category I've blocked, it sends me to block.opendns.com

    However, my understanding is if I plug in the IP Address for a blocked domain, it simply goes through.


    Does anyone know of a current solution to this?

    Is it possible to block requests based on IP Addresses?

    That would be probably be too far reaching, so how crazy does this sound / is this even possible:
    --If I plug in a regular a domain it gets forwarded to block.opendns.com
    --If I plug in an IP address (maybe excluding 192.x.x.x) it does a Reverse DNS Lookup, checks OpenDNS for the IP address of the domain (it should return the IP address of block.opendns.com), if it doesn't match then direct the user to block.opendns.com (208.69.36.135).


    If this is possible, how do I do it?
    No solution is too crazy.

    Thank you
     
  2. badran

    badran Networkin' Nut Member

    It looks doable.

    I would suggest creating a php script on some server (preferably on your internal network), that will accept an IP address, and return true or false.

    The script can parse the "host" command:

    $ host 208.69.36.135
    135.36.69.208.in-addr.arpa domain name pointer block.opendns.com.
     
  3. manderson

    manderson Addicted to LI Member

    Ok. Assuming I can put together the php (or shell) script, any idea how I would setup Tomato to recognize when an IP address used used rather than a domain (to know when to run the script) and how to run that script?

    What is the second block of txt (the line after $ host 208.69.36.135)? I'm still very new to all this.
     

Share This Page