dnsrd - Interact with the DNS Resolver DaemonSYNOPSIS
dnsrd [on|off [flag]]
dnsrd black|grey|white|special|local|ms|ios [name]
dnsrd clear black|white|grey|special|local|ms|ios [name]]
dnsrd client [ip [level [block]]]
dnsrd clear client [ip]
white [ifn [on | off | flag]]
Command dnsrd starts or stops the DNS Resolver Daemon. Argument flag specifies whether NAT32 Name Resolution (2) or Windows Name Resolution (1) APIs are to be used. If flag is 0, only built-in names like nat32.box are checked.NOTES
The DNSRD supports a black-list of names that always resolve to the address of the NAT32 Honeypot. The names can be complete DNS domains (denoted by ^) or shorter substrings.
Example:dnsrd black "^ws.microsoft.com" # Quotes required because of the ^ characterExceptions can be specified in the white-list and always override strings in the black-list. The command white can be used to specify that only white-listed name requests from the specified interface are to be resolved. Special local names like nat32.box will always be resolved, except if a flag value of 2 is specified.
dnsrd black windows.microsoft.com
The DNSRD also supports a grey-list of names that always resolve to the address of the NAT32 Honeypot. For grey-listed names, all HTTPS access is blocked and HTTP content is fetched using NAT32's httpget command. Exceptions can be specified in the white-list and always override strings in the grey-list.
Example:dnsrd black .ads
dnsrd white .org
The first rule will block names such as www.adserver.com but names such as www.adserver.org will be allowed because of the second rule.
The DNSRD also supports a list of names that must always use a special route to the Internet. This feature is useful for accessing sites that block content by geographical location. If a VPN connection to a server in a specific country is available, then all traffic to names in the special list will be forwarded via that VPN connection.
Example:dnsrd special .bbc.
The command will cause all traffic to names containing the string ".bbc." to be forwarded via the NAT32 Auxiliary interface, which, in this case, would typically be a connection to a VPN Server in the UK.
Note that many such VPN Servers exist, and they can easily be found on the Internet. NAT32 has been tested with 12VPN.NET, a VPN Service that supports L2TP/IPsec connections to serveral servers in 9 different countries. Another highly-recommended VPN service is IPVanish and NAT32 has been adapted to fully support OpenVPN used by IPVanish and others.
NOTE: Users of Windows XP should ensure that the NDISWANIP adapter is at the top of the TCP/IP Binding List. Please see this Microsoft Support Page for details.
Names in the local list always resolve to the IP address of the interface on which the DNS request was received.
The DNSRD also supports HOSTS file lookup. To use this feature, please download the latest hosts.zip file and extract it to your NAT32 installation directory. The extracted hosts.ini file is an optimized version of the hosts.txt file freely available from the hosts-file.net site.The file is loaded into an internal, indexed table each time NAT32 starts. Any DNS request for a name contained in that table will quickly resolve to the NAT32 Honeypot address (usually 184.108.40.206). All machines, including the NAT32 machine itself, will then be safe from advertisements, malware, 3rd party cookies and other unwanted content. Web browsing speed will increase dramatically because unwanted content will never be downloaded to your machines. Be sure to update the hosts.ini file regularly.
Computers in the client list can have the following DNS checking levels:all = all checks
list = check lists only
host = check hosts.ini only
none = no checks, nop = no operation
Users can modify their computer's current DNS checking level via this page.
Computers that have a DNS checking level specified in the dhcpd.ini file will be added to the client list whenever they request or refresh their configuration from the NAT32 DHCPD.
The DNSRD supports an additional blocking mechanism that is based on two block files (ms.txt and ios.txt). File ms.txt contains names to be blocked in order to prevent information leakage to Microsoft servers. File ios.txt contains names to be blocked in order to prevent information leakage to Apple servers.
Computers in the client list can have the following DNS blocking options:ms_toggle = toggle Microsoft blocks
ios_toggle = toggle Apple blocks
Additional options include all_on and all_off to toggle both Microsoft and Apple blocks.
All names are checked for label length. The maximum label size can be specified via the environment variable dnsl and defaults to 40, although the maximum label length is 63.
This feature not only protects against malware but also significantly reduces network traffic.
If fully transparent DNS name resolution is required, a simple DNS Forwarder can be started with the commands: dnsfd on or wdnsd on (in Winsock mode). The DNSRD must be off in this case.
The white command should be used with caution, because name resolution will only take place for names listed in the white-list. Should a web page reference other names not in the white-list, the page might not be rendered correctly.
DHCPD, Control Panel, dnsmap, firewall, HOSTS test, httpget, isolate, setns