You've excluded the answer. Running a local resolver is quite simple. One tiny process running with a single config file is going to be as simple as (if not more so) any other possible solution you'll find.
> As noted in the ingress, the web browser is the primary application.
In Firefox, about:networking and about:networking#dns are the http cache and dns cache. I have never considered writing values to these directly. Could there be a method for doing so within the developer console? Perhaps someone knows.
> think /etc/hosts, but without the requirement of superuser privileges.
It would help if you could expand on this. Is this a "don't want devs to need to mess with their boxes" thing, or a "we're doing shadow IT and can't run things the normal way" thing, or something else?
> Running a resolver locally, or within the LAN, falls outside the realm of "simple".
No, it really doesn't. A DNS server can be a single file binary pointed at a simple text file, optionally pointed directly at a hosts-format file. I suggest coredns personally but there are other options.
Like you want to be able to update it without su or that you cant access it at all?
Like you could have a cron running as root that updates etc/hosts every minute based on a userspace text document if you felt like it. It would be incredibly bad practice but I dont get the impression that this is a concern.
>Running a resolver locally, or within the LAN, falls outside the realm of "simple".
Running your own DNS server isnt simple? The standard Microsoft DHCP/DNS process is to take DHCP leases and turn them into DNS entries.
Part of the reason a lot of answers are going to challenge your simple requirements, is that theres a great deal of malware that would love to do what you want to do, and these systems are largely hardened to prevent it.
If this is for an application you want to deploy, I believe "Simple" for userspace, is quite complex to overcome all the things trying to prevent exactly this. My gut feeling is that this desire will evolve into a docker container with a DNS resolver, and just present some kind of interface for adding records. Then just pipe all your DNS requests through the container.
Does anyone actually ban 127 resolution to stop dns rebinding? I feel like that would probably break a lot of things while not actually preventing dns rebinding.
Only your domain ! You would not want to use other people. They can see what you request from their DNS server. Since they own the domain they can also get valid certificate ..
Look they are requesting owa.mydomain Why don't I replace it with internet accessible phishing for outlook page ? Why it's bad idea
Since you can't edit hosts, or setup a resolver, maybe bookmark directly the ips on your browser? I understand you asked for hostnames but given the context you might aswell internalize some local ips.
Depending on the details of your setup and precisely why you're attempting this, I would also recommend Avahi/Zeroconf (lets you type "$HOSTNAME.local" or simply populate some favorites/bookmarks on the client machines (typing the bookmark name will generally autocomplete).
I want to note that I mean to use such internal hostnames to reach services inside a VPN. If solutions such as IPsec or OpenVPN can somehow push and manifest host->IP correlations for the OS, as an alternative to pushing an additional DNS resolver living inside the VPN, that would also be a viable solution.
Or if you need records other than A/AAAA, like MX for delivering email: https://anyz.one
e.g. 10.2.3.4.anyz.one will refer the recursive resolver to query 10.2.3.4 for the answer to the query. You can also buy a domain and configure it to do that, but this is quicker
Perhaps you can enable a default local domain on your router? Openwrt certainly lets you choose a local domain and the router then replies to DNS requests for somehost.local names.
anything that could capture the traffic of another application outside of that application is likely gonna need super user privs. the ports it flows on need those to capture it, and running a program which could capture it also likely needs it.
that being said: more context would thus help. what application is making the request, and at what point do you expect to intercept or get that request? is that outside the same app or not?
edit:
also, can you atleast set it up as root or does everything need to happen as user? (and the OS might also matter)
As noted in the ingress, the web browser is the primary application. It must work for an end-user lacking the technical facilities or even sufficient administrative access to install a resolver or edit the system's hosts file. A browser extension would be a great solution.
You've excluded the answer. Running a local resolver is quite simple. One tiny process running with a single config file is going to be as simple as (if not more so) any other possible solution you'll find.
> As noted in the ingress, the web browser is the primary application.
In Firefox, about:networking and about:networking#dns are the http cache and dns cache. I have never considered writing values to these directly. Could there be a method for doing so within the developer console? Perhaps someone knows.
There are replies in the below link that touch on it for Chrome. The top suggestion, however, is using a socks 5 proxy server as a workaround. https://superuser.com/questions/184643/override-dns-in-firef...
You can use the linker to preload `nss_wrapper`[0] and overwrite anything using `nss`.
Here's an example:
[0] https://cwrap.org/nss_wrapper.html> think /etc/hosts, but without the requirement of superuser privileges.
It would help if you could expand on this. Is this a "don't want devs to need to mess with their boxes" thing, or a "we're doing shadow IT and can't run things the normal way" thing, or something else?
> Running a resolver locally, or within the LAN, falls outside the realm of "simple".
No, it really doesn't. A DNS server can be a single file binary pointed at a simple text file, optionally pointed directly at a hosts-format file. I suggest coredns personally but there are other options.
>without the requirement of superuser privileges
Like you want to be able to update it without su or that you cant access it at all?
Like you could have a cron running as root that updates etc/hosts every minute based on a userspace text document if you felt like it. It would be incredibly bad practice but I dont get the impression that this is a concern.
>Running a resolver locally, or within the LAN, falls outside the realm of "simple".
Running your own DNS server isnt simple? The standard Microsoft DHCP/DNS process is to take DHCP leases and turn them into DNS entries.
Part of the reason a lot of answers are going to challenge your simple requirements, is that theres a great deal of malware that would love to do what you want to do, and these systems are largely hardened to prevent it.
If this is for an application you want to deploy, I believe "Simple" for userspace, is quite complex to overcome all the things trying to prevent exactly this. My gut feeling is that this desire will evolve into a docker container with a DNS resolver, and just present some kind of interface for adding records. Then just pipe all your DNS requests through the container.
1. Buy domain for your service
2. Make wildcard record to point to 127.0.0.1
3. User can apply any.thing.here.yourcompanyinternal.xxx
https://en.wikipedia.org/wiki/DNS_rebinding protection will stop this from working "hopefully" ;)
but `--host-resolver-rules` may work, https://chromium.googlesource.com/chromium/src/+/main/net/ba... @terry_hc
> https://en.wikipedia.org/wiki/DNS_rebinding protection will stop this from working "hopefully" ;)
Does anyone actually ban 127 resolution to stop dns rebinding? I feel like that would probably break a lot of things while not actually preventing dns rebinding.
https://docs.google.com/document/d/1QQkqehw8umtAgz5z0um7THx-... is in Beta channel now
As far as i understand, that does not ban resolving dns addresses to localhost.
_Someone_ must have already done this, right?
Only your domain ! You would not want to use other people. They can see what you request from their DNS server. Since they own the domain they can also get valid certificate ..
Look they are requesting owa.mydomain Why don't I replace it with internet accessible phishing for outlook page ? Why it's bad idea
*.lndo.site 127.0.0.1
This domain is used by https://lando.dev/ which is a docker/docker-compose wrapper for local development.
Would it be a problem to disclose it, in terms of it getting shutdown?
Since you can't edit hosts, or setup a resolver, maybe bookmark directly the ips on your browser? I understand you asked for hostnames but given the context you might aswell internalize some local ips.
This feels like an X-Y problem. What's preventing you from running a local copy of Dnsmasq? It's really not difficult
Depending on the details of your setup and precisely why you're attempting this, I would also recommend Avahi/Zeroconf (lets you type "$HOSTNAME.local" or simply populate some favorites/bookmarks on the client machines (typing the bookmark name will generally autocomplete).
You are probably running a resolver on the LAN already, in your router. Now you just have to login and add an entry.
This is the correct answer. You can’t have a DNS resolver without, er, using a DNS resolver.
I want to note that I mean to use such internal hostnames to reach services inside a VPN. If solutions such as IPsec or OpenVPN can somehow push and manifest host->IP correlations for the OS, as an alternative to pushing an additional DNS resolver living inside the VPN, that would also be a viable solution.
Tailscale is very easy to set up and provides resolvable hostnames (at an OS level) for all connected devices.
Tailscale requires superuser/admin
https://nip.io/
Or if you need records other than A/AAAA, like MX for delivering email: https://anyz.one
e.g. 10.2.3.4.anyz.one will refer the recursive resolver to query 10.2.3.4 for the answer to the query. You can also buy a domain and configure it to do that, but this is quicker
Disclosure: I wrote anyzone
Perhaps you can enable a default local domain on your router? Openwrt certainly lets you choose a local domain and the router then replies to DNS requests for somehost.local names.
anything that could capture the traffic of another application outside of that application is likely gonna need super user privs. the ports it flows on need those to capture it, and running a program which could capture it also likely needs it.
that being said: more context would thus help. what application is making the request, and at what point do you expect to intercept or get that request? is that outside the same app or not?
edit: also, can you atleast set it up as root or does everything need to happen as user? (and the OS might also matter)
As noted in the ingress, the web browser is the primary application. It must work for an end-user lacking the technical facilities or even sufficient administrative access to install a resolver or edit the system's hosts file. A browser extension would be a great solution.
If your programs use glibc, it supports hosts overrides in an environment variable, forgot which.
`HOSTALIASES` lets you alias hostnames, but not map hostnames to IPs.
Docs at `man gethostbyname`
https://man7.org/linux/man-pages/man3/gethostbyname.3.html
https://github.com/Riant/host-switch-plus or --host-resolver-rules to chrome, FoxyProxy for Firefox.