Author Topic: hosts file and DNS resolution questions  (Read 3196 times)

a.mcdear

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
hosts file and DNS resolution questions
« on: August 30, 2011, 08:29:55 pm »
First off, I am using Zentyal 2.0, installed from the most recent CD ISO and updated to the most recent versions of all installed packages.

I noticed that there is no way to manage the hosts file from within the Web GUI, so I went on to the actual console and created a new hosts file for ad-blocking purposes, and to block certain web sites that I do not want employees to have access too while at work.

I opened up terminal, moved to the /etc folder, and used the following command to edit the hosts file
Code: [Select]
sudo leafpad hosts
I put in all the necessary lines to resolve all desired URLs to 127.0.0.1, saved the hosts file, and then reset Zentyal and all client machines...

Unfortunately, it seems that it did not work as expected, and all client machines using Zentyal to resolve DNS names still manage to access the sites which I had hoped to block.

Anybody know where I went wrong??

Marcus

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 395
  • Karma: +12/-0
    • View Profile
    • Professional IT Service
Re: hosts file and DNS resolution questions
« Reply #1 on: August 30, 2011, 09:01:48 pm »
Hello,

Are you using the Proxy ?  If not, you should...  That would be the proper way for blocking websites.

Otherwise you'll have to modify the hosts file on your clients computers (and that would be insane).

**Using the proxy will even prevent users of modifying their own hosts file.  It would also be smart to block other DNS service provider and only allow Zentyal DNS server.

Best,

Marcus

a.mcdear

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: hosts file and DNS resolution questions
« Reply #2 on: September 01, 2011, 01:23:26 am »
Thanks for the reply Marcus,

currently NOT using the proxy...
Here's my concern: I have basically re-purposed an old Pentium3 machine into a router, and I am worried that it doesn't have enough power to run all the services I require. Its running on a 150mhz bus and memory speed, 256MB of RAM and 1050mhz Pentium3 (still runs overclocked rock stable after like 13 years!)

Currently I am running the following modules:
-Networking
-Network Objects
-Firewall
-Traffic Shaping
-L7 Filter
-ebox Software
-Monitor
-Logs

With the currently installed modules, Zentyal's utilization is still pretty low.. Monitor shows the router's utilization averaging ~0.50 while actively connected to the control panel, and ~0.25 average when its just doing its thing... However the memory is mostly filled most of the time...
Do you think the computer is capable of handling a proxy? My understanding is that a properly functioning proxy would require a machine with quite a bit more memory.... what do you think?

Is there no way of having the DNS server on the Zentyal box use its hosts file first when resolving URLs for connected clients?
Most people using the web here don't know how to modify a hosts file, or even really know what it is... so, while a concern for the long run, at the moment it would do the trick while I have time to get a beefier computer to replace this one.
« Last Edit: September 01, 2011, 01:28:41 am by a.mcdear »

christian

  • Guest
Re: hosts file and DNS resolution questions
« Reply #3 on: September 01, 2011, 07:48:28 am »
I think you were very close to something almost working  ::)

First, Marcus is perfectly right: use of proxy is a must, especially with goal you describe.

Regarding performance, real concern, if any, is more with memory than CPU. Zentyal does not require a lot of resources but is designed neither with "low footprint" components". BTW, this is what you noticed  8)

Another way to solve your issue link to general comment I can't refrain: do NOT use "hosts" file, or at least do it only when there is no other choice. Management is painful  :'( especially on clients.
With no proxy, you can still configure clients to use Zentyal as DNS (it will require to block Intranet DNS request to internet) and let DNS resolve it. This is what you did but Zentyal has to resolve this names as "localhost" too. To ensure this, you have to check (in NSS) that name solving is done using "file" first then DNS otherwise DNS will go outside and provide real IP. I know that doing so you're back to "hosts" file management while I wrote you should not  :o but without proxy it's difficult to escape.

a.mcdear

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: hosts file and DNS resolution questions
« Reply #4 on: September 01, 2011, 09:05:24 pm »
thanks christian.
I decided to take both of your combined advice into consideration, so I uninstalled trafficshaping and l7 filter modules, and installed 'groups and users' and the proxy service.
I configured it, and it does work, when I was testing it alone... but like I figured the machine simply doesn't have the resources available and the whole "filtered" segment of the network came crumbling down to the point of total unreliability as soon as we started getting a few users attempting to use the web at the same time...

It seems that until I upgrade to a better machine, the hosts file method will have to suffice. I went into the DNS service on the web GUI and looked for an option to resolve to hosts file before internet nameservers... couldn't find it. Is this something I will need to edit in the nsswitch.conf file or something?

**edit**
So I went and looked at the nsswitch.conf file, the hosts line already was filled with files first, then dns as the default setting, which is as I figured it would have been. I have tried a few different options, for example using 127.0.0.1, as well as an arbitrary non-functional IP on the network for example 10.10.0.255 which is a valid local ip but no machine is located at that address.... neither worked. It appears the DNS server is still using external name servers rather than simply passing to clients the IP found in the hosts file..

Any ideas? If not, its back to square one I guess....

I have another older machine that isn't being used.... an Athlon XP @ 2.2ghz with 1GB of DDR400... definitely a large step up from the pentium 3 box I described above which I'm currently using.... I might be able to get that machine prepped to be my new "router/proxy/traffic shaping" machine. I am hoping that this machine would be able to run all of these services effectively. My current issue with the P3 box (besides the DNS thing) is that while traffic shaping works well on the designated interfaces, it does effectively reduce bandwidth BETWEEN my internal networks to a max of a couple MB/sec... still enough to let intranetwork tasks like printing work well enough, but not good for transferring files and such. I guess this machine just doesn't have the needed resources to do its job. :(
« Last Edit: September 01, 2011, 10:15:07 pm by a.mcdear »

Marcus

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 395
  • Karma: +12/-0
    • View Profile
    • Professional IT Service
Re: hosts file and DNS resolution questions
« Reply #5 on: September 01, 2011, 10:22:05 pm »
Hello a.mcdear,

Regarding the DNS;
You are looking at the right place.  You simply have to add hosts and IPs.  Your network clients will use this DNS server by default.

** Make sure to block all other DNS servers in order to block clients that are trying to use other DNS servers.

Best,

Marcus


sixstone

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1417
  • Karma: +26/-0
    • View Profile
    • Sixstone's blog
Re: hosts file and DNS resolution questions
« Reply #6 on: September 02, 2011, 09:20:10 am »
Hi there,

Just for your information, in Zentyal 2.2 there is a new feature for DNS to act as a transparent DNS, then it will not be necessary to block DNS traffic, but it will be redirected to Zentyal local DNS...

This will make you DNS resolution sometimes faster, and even help you as described here.

Best regards!
My secret is my silence...

DWAM

  • Zen Warrior
  • ***
  • Posts: 113
  • Karma: +3/-0
    • View Profile
Re: hosts file and DNS resolution questions
« Reply #7 on: September 03, 2011, 05:30:16 pm »
Hi!

I'm not sure Zentyal is the best choice for you if you only need it to act as a router/firewall, especially on a PIII hardware.

I'd suggest you to drop an eye over "pfSense", which is a very powerful router based on freeBSD. Very easy to install and manage, very safe... A PIII PC is perfect to run it.

Have a look and test it with LiveCD : http://www.pfsense.org/

christian

  • Guest
Re: hosts file and DNS resolution questions
« Reply #8 on: September 03, 2011, 05:47:37 pm »
So I went and looked at the nsswitch.conf file, the hosts line already was filled with files first, then dns as the default setting, which is as I figured it would have been. I have tried a few different options, for example using 127.0.0.1, as well as an arbitrary non-functional IP on the network for example 10.10.0.255 which is a valid local ip but no machine is located at that address.... neither worked. It appears the DNS server is still using external name servers rather than simply passing to clients the IP found in the hosts file..

Any ideas? If not, its back to square one I guess....

1 - What are you trying to achieve? when you write "I have tried a few different options..." what did you try exactly. Using web browser? Sorry but I don't understand what you did.
2 - something perhaps misleading in my previous answer: DNS uses ... DNS. This looks like a stupid comment but this means to say that updating hosts file on Zentyal will not impact the way machines on LAN using Zentyal DNS as DNS will resolve names and IPs. NSS permits to control how local services are behaving. This means that HTTP PROXY will use first /etc/hosts then DNS thus clients using proxy will benefit from this but if you request DNS server, it will use DNS... (NSS controls "host" service, not DNS). This is maybe why your test failed?

a.mcdear

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: hosts file and DNS resolution questions
« Reply #9 on: September 06, 2011, 08:34:36 pm »
Quote
1 - What are you trying to achieve? when you write "I have tried a few different options..." what did you try exactly. Using web browser? Sorry but I don't understand what you did.
What I'm trying to achieve is simple in concept... perhaps not possible the way I was told it should work. I am trying to make basically a single central 'hosts' file for the whole network. One I can use to block ads, certain sites, and when I need to update it, I only update the one hosts file on the server and it affects the way ALL OTHER MACHINES on the network resolve those addresses. Somebody informed me that this is as simple as placing the hosts file in the correct folder and enabling DNS on a Windows 2003 server, then using that Windows 2003 server as the DNS server for the network. I assumed that DNS was DNS and thus it should work the same way here too.... either I was totally misinformed and you cannot use a "central hosts file" on a DNS server, or it simply doesn't work the same way on Zentyal as it does in Windows 2003 DNS server..

Quote
2 - something perhaps misleading in my previous answer: DNS uses ... DNS. This looks like a stupid comment but this means to say that updating hosts file on Zentyal will not impact the way machines on LAN using Zentyal DNS as DNS will resolve names and IPs. NSS permits to control how local services are behaving. This means that HTTP PROXY will use first /etc/hosts then DNS thus clients using proxy will benefit from this but if you request DNS server, it will use DNS... (NSS controls "host" service, not DNS). This is maybe why your test failed?
I think you may be on the right track.... I am starting to think that perhaps my original idea of a single hosts file for the network isn't going to work... or at least not in this way. The local server already used the hosts file just fine and blocked the sites as it should... I want this same behavior to apply to all local machines on this network too.

a.mcdear

  • Zen Apprentice
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: hosts file and DNS resolution questions
« Reply #10 on: September 06, 2011, 08:45:09 pm »
Hi!

I'm not sure Zentyal is the best choice for you if you only need it to act as a router/firewall, especially on a PIII hardware.

I'd suggest you to drop an eye over "pfSense", which is a very powerful router based on freeBSD. Very easy to install and manage, very safe... A PIII PC is perfect to run it.

Have a look and test it with LiveCD : http://www.pfsense.org/

Well its not not only a firewall/router, but it also needs to be able to do some QOS, trafficshaping and packet filtering too. I read up real quick and pfSense does look interesting, but their site doesn't say much in the way of trafficshaping and stuff. Looks interesting, I'm gonna fire it up on a live cd on my laptop and test it out

DWAM

  • Zen Warrior
  • ***
  • Posts: 113
  • Karma: +3/-0
    • View Profile
Re: hosts file and DNS resolution questions
« Reply #11 on: September 06, 2011, 09:23:08 pm »
pfSense will do everything you ever dreamt of and even more... Concerning your previous post, your needs of blocking things with central management can easily be achieved with pfSense (mainly with Squid proxy) and you'll find many optional packages for specific needs (like DNS Blacklist...)
Have fun !

christian

  • Guest
Re: hosts file and DNS resolution questions
« Reply #12 on: September 06, 2011, 10:22:19 pm »
a.McDear,

Now that I understand better, I think you can do it with Zentyal, following multiple different approaches.

Maintaining /etc/hosts file on Zentyal server...
this works if:
- you restrict it to HTTP/HTTPS protocol, meaning using Zentyal Proxy
- you maintain in /etc/hosts list of alias pointing to whatever (internal) address you want
Doing so, HTTP request will never reach real servers but the one you want to show.

What is wrong with your initial sentence is willingness, for machines on intranet, to resolve these names in a fake manner.

If /etc/hosts doesn't fit, then you could also create one entry per domain you want to control and add here one host with as many alias as you want but this will have potentially a lot of side effect in case you want to reach servers in one of these domains. I definitely do not recommend this  >:(

Last but not least and this is definitely my preferred approach, ensure proxy is used and manage, at proxy level, internet domains (or internet domains list you can upload) to be blocked by proxy.
Easy and efficient.  ;)  8) 8)

There is something I would like to highlight: what must be understood first is service you want to control because it leads to protocol and then to infrastructure component to be used in order to get control.
Starting with name or IP resolution has little chance to work because this is very low level infrastructure component (names in NSS and DNS as server). It may work with lot of side effect. If you restrict you scope to HTTP, it's much easier thank to proxy component.


DWAM

  • Zen Warrior
  • ***
  • Posts: 113
  • Karma: +3/-0
    • View Profile
Re: hosts file and DNS resolution questions
« Reply #13 on: September 07, 2011, 12:33:14 am »
Its running on a 150mhz bus and memory speed, 256MB of RAM and 1050mhz Pentium3
...
With the currently installed modules, Zentyal's utilization is still pretty low...
...
Do you think the computer is capable of handling a proxy?

Don't forget the context... A router/proxy is not supposed to generate latency... Zentyal needs more power and ressources (and was not really designed to be used only as gateway).

So yes, Zentyal can do it... but it won't with such hardware.
« Last Edit: September 07, 2011, 12:35:35 am by DWAM »

christian

  • Guest
Re: hosts file and DNS resolution questions
« Reply #14 on: September 07, 2011, 07:36:04 am »
Please do not take it the wrong way but I just disagree on each point, except for what concerns hardware.

router/proxy" is not supposed to generate latency

Of course any component is designed aiming to introduce as few latency as possible. This is especially true with network components like router. This said, you can NOT compare router and proxy. If you understand (which I believe) OSI model, router works at level 3 (network) while proxy works at level 4 (transport). I let you make your own conclusion.
In addition, yes proxy will impact performance. As already explained in another thread, introducing proxy, even with cache, will decrease performance until you reach balance in term of users that will show real benefit of cache. Otherwise, your access is slower with proxy. There is no such thing as a free lunch.  :P

Quote
Zentyal needs more power and resources (and was not really designed to be used only as gateway).
More... I don't know and you might be right, I will read this thread again. Zentyal is not for sure design with light (in term of resource footprint) components. This could be optimized. However Zentyal is definitely designed primarily as "internet gateway". Is it "gateway only". For sure not but why not? BTW, I'm using it as "gateway only"  ;D

Quote
So yes, Zentyal can do it... but it won't with such hardware.
You're right. Memory is critical but everything else should not really matter. I'm running Zentyal on Atom platform with some heavy internet consumers (my sons play a lot  :-[ ) with no problem at all.
« Last Edit: September 07, 2011, 08:05:38 am by christian »