1

Good day, everyone.
Let's say I have a following setup:

  • Windows 7 as host machine, DNS 192.168.0.100, 8.8.8.8, 8.8.4.4
  • Ubuntu 16.04 as guest machine on VirtualBox, DNS 192.168.0.100 (host?)

Ubuntu is connected to Windows's network via VirtualBox's NAT.

When I'm performing nslookup google.com, the results are totally different.
On Windows I see 6 x 172.xxx.xxx.xxx while on Ubuntu I see 6 x 62.xxx.xxx.xxx

So I guess even if I resolve google.com locally on my "router" machine on my network to block it from users, if a user has custom DNS server on its machine, they'll resolve another IP addresses? Any solution for that except forcing them using my DNS server?

Groosha
  • 113
  • 1
  • 7
  • Is your end goal to block access to google.com web site for users within your network? – Dusan Bajic Nov 08 '17 at 14:00
  • put proxy server like squid on router machine and force all web (http/https) traffic via it – Martynas Saint Nov 08 '17 at 14:38
  • @DusanBajic my end goal is to block access to many websites by IP, not only Google. – Groosha Nov 08 '17 at 15:06
  • 2
    @MartynasSklizmantas Unfortunately I'm not able to use Squid, since I'll have a very high bandwidth of traffic (~10 GBit/sec) and Squid is used only to dump __some__ SSL traffic. – Groosha Nov 08 '17 at 15:08
  • For many reasons (one of them explained by @Alex), websites can have many IP addresses, and addresses can change very dynamically, so blocking sites based on IP addresses will not work, or will be impossible to maintain - especially if there are many sites to block. – Dusan Bajic Nov 08 '17 at 15:21
  • I believe the only viable solution is as @MartynasSklizmantas suggested; if the Squid does not work for you, search the enterprise market for something with enough capacity (Cisco/Juniper/paloAlto/Checkpoint...) – Dusan Bajic Nov 08 '17 at 15:24

2 Answers2

1

Many DNS providers are using anycast to respond with the "best" result depending on where on the Internet the query is coming from.

Executing the same query on multiple DNS servers located in various parts of the world therefore will commonly result in different results. This is normal, and it helps with, among many other things, routing traffic to the closest caching server.

Alex
  • 523
  • 1
  • 4
  • 14
  • The problem is that both machines are virtually in the same place: ubuntu is running as guest on VirtualBox. The location is the same, but the results are different. – Groosha Nov 08 '17 at 15:05
  • There are many strategies that Google can use to balance your requests, taking into account not only location, but also other things, so you cannot rely on dns resolving google.com or any other domain to the same ips. – Martynas Saint Nov 08 '17 at 15:11
  • @MartynasSklizmantas any advice how to setup the blocking by ip in my case? – Groosha Nov 08 '17 at 15:15
  • Depending on the budget maybe you could go with commercial firewall, but even in that case it would work with squid like setup, just it might be more performant. Also you can block dns traffic from windows machine and have your own dns server with domains you want to block pointing into 127.0.0.1 :) – Martynas Saint Nov 08 '17 at 15:21
  • Your DNS server settings are not the same, so the responses you get won't be the same either. Also, a large host like Google will return many addresses at once (nslookup would likely have shown that; if not, use dig). – Alex Nov 08 '17 at 18:26
  • @MartynasSklizmantas I mentioned below in my answer already that blocking DNS and forcing to use a controlled DNS is not preventing access to a site. It will only prevent DNS resolution. If users enter details in their local hosts file the name will resolve and you can't prevent it. You either have to filter the IP or force traffic through a proxy. – user228505 Nov 10 '17 at 17:31
  • yeah, that's correct if you don't remove user admin rights - they can obviously can use hosts file – Martynas Saint Nov 10 '17 at 18:01
-1

I suppose google is using a round-robin approach to do load balancing. So on different DNS queries you will get different results for your query for google.com. With the response being cached on the local machine you will get the same IP when trying multiple times.

If you don't want users to be able to access a host you have to block on IP level. Even if you force them to use your DNS by a firewall rule they still could enter these details in their local /etc/hosts file to directly get an IP address for google.com and connect to it.

user228505
  • 156
  • 3
  • What I'm trying to do is to set up blocking via ipset with lots of ip addresses. Unfortunately ipset doesn't allow to block by hostnames and having lots of entries in iptables will slow down everything. So I thought to make a resolver to resolve "banned" hostnames to IP and add them to ipset – Groosha Nov 08 '17 at 14:45