From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2920
Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail
From: "Laurent Bercot" <ska-supervision@skarnet.org>
Newsgroups: gmane.comp.sysutils.supervision.general
Subject: Re: keeping sites off
Date: Mon, 30 Mar 2020 00:18:27 +0000
Message-ID: <emd05879fb-3aac-45e4-ab13-6eeee9b3b633@elzian>
References: <CAKpSnp+-j8bWeQA47djK7z8eLD1BKHprcsE63a5=QciJbOM1JA@mail.gmail.com>
Reply-To: "Laurent Bercot" <ska-supervision@skarnet.org>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202";
	logging-data="61337"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: eM_Client/7.2.37929.0
To: supervision <supervision@list.skarnet.org>
Original-X-From: supervision-return-2509-gcsg-supervision=m.gmane-mx.org@list.skarnet.org Mon Mar 30 02:18:35 2020
Return-path: <supervision-return-2509-gcsg-supervision=m.gmane-mx.org@list.skarnet.org>
Envelope-to: gcsg-supervision@m.gmane-mx.org
Original-Received: from alyss.skarnet.org ([95.142.172.232])
	by ciao.gmane.io with smtp (Exim 4.92)
	(envelope-from <supervision-return-2509-gcsg-supervision=m.gmane-mx.org@list.skarnet.org>)
	id 1jIi8R-000FrH-D0
	for gcsg-supervision@m.gmane-mx.org; Mon, 30 Mar 2020 02:18:35 +0200
Original-Received: (qmail 14823 invoked by uid 89); 30 Mar 2020 00:18:56 -0000
Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm
Original-Sender: <supervision@list.skarnet.org>
Precedence: bulk
List-Post: <mailto:supervision@list.skarnet.org>
List-Help: <mailto:supervision-help@list.skarnet.org>
List-Unsubscribe: <mailto:supervision-unsubscribe@list.skarnet.org>
List-Subscribe: <mailto:supervision-subscribe@list.skarnet.org>
List-Id: <supervision.list.skarnet.org>
Original-Received: (qmail 14816 invoked from network); 30 Mar 2020 00:18:56 -0000
In-Reply-To: <CAKpSnp+-j8bWeQA47djK7z8eLD1BKHprcsE63a5=QciJbOM1JA@mail.gmail.com>
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrudeigedgvddtucetufdoteggodftvfcurfhrohhfihhlvgemucfpfgfogfftkfevteeunffgpdfqfgfvnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkfgjfhhrfgggtgfgsehtqhertddtreejnecuhfhrohhmpedfnfgruhhrvghnthcuuegvrhgtohhtfdcuoehskhgrqdhsuhhpvghrvhhishhiohhnsehskhgrrhhnvghtrdhorhhgqeenucffohhmrghinhepfhgrtggvsghoohhkrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhpohhuth
Xref: news.gmane.io gmane.comp.sysutils.supervision.general:2920
Archived-At: <http://permalink.gmane.org/gmane.comp.sysutils.supervision.general/2920>

>The problem is that /etc/hosts does not support wildcards, so
>graph.facebook.com (for example) is not filtered. So, is there any
>solution? Should I replace dnscache by something else? (something else
>trustworthy and supervision-friendly) Any other setup compatible with
>dnscache?

  What I do is:
  - run a tinydns on another IP address (if you only have 1 nic, you can
still attribute several IPs to it)
  - fill that tinydns with sink data for the things I want to block
  - configure my dnscache to query my internal DNS server for the zones
I want to block. In your case, if you tell your dnscache that your
internal DNS server is authoritative for the facebook.com zone, any
query for graph.facebook.com will go to your internal server.
  - no /etc/hosts manipulation needed.

--
  Laurent