Windows 7 上的 DNS 本地域反欺骗?
我正在寻找一种在 Windows 7 上自定义 DNS 解析策略的方法,如下所示:
1) 对于某些私有域,应将请求转发到我选择的安全服务器(可能是 VPN 连接的)。 2) 对于所有其他请求,它们应正常通过 Windows DNS 解析系统传播(即来自 DHCP 的 DNS 服务器,按绑定顺序等)。
主要动力是保护此私有域免遭欺骗(例如,在如果我连接到一个友好的免费 WiFi 热点,该热点会将所有主机名转发到某个代理,导致我的私人连接请求被定向到星巴克的网关服务器,该服务器位于非私人 IP 块中,因此可以通过我的防火墙 出色地)。
我研究了一些解决方案;最有希望的似乎是在我的系统上运行个人可配置的 DNS 转发器,并使用一个 kludge 虚拟适配器,将 127.0.0.1 作为绑定列表顶部的静态 DNS 条目;这应该会强制所有 DNS 请求通过我的转发器,然后转发器可以根据需要过滤和处理私有域请求。问题在于处理剩余的请求;将它们传递回 Windows DNS 堆栈似乎只会产生无限转发循环,并且没有实现(据我所知)具有特殊功能,例如从 Windows DHCP 收集 DNS 服务器条目(除了虚拟条目)并尝试他们一一。
让本地转发器保持沉默似乎可能是一个部分解决方案,因为 Windows 将继续尝试其他 DNS 服务器;令人担心的是,Windows 由于“聪明”,可能会决定在未来的请求中跳过本地转发器;此外,每个新的 DNS 请求都会出现约 2 秒超时的问题,这将是不幸的。 NXDOMAIN 响应将不起作用,因为这将是绑定的(即 Windows 不会继续尝试其余服务器)。
顺便说一句,不幸的是,在链的末端使用公共 DNS 服务器(如 OpenDNS 等)也不会真正起作用 - 事实上,我的笔记本电脑还连接到其他私有网络,这些网络有自己的私有 DNS服务器和内部主机名,当然由 DHCP 提供服务 - 我想尽可能避免为此设置手动配置。
还尝试为我的域设置 DNSSEC,直到我意识到 Windows 7 很好地包含了 DNSSEC 支持,但没有验证器;由于它只是遵循本地友好 DNS 服务器设置的“身份验证”位,因此它显然不会对欺骗者起到多大作用。
TLDR:我想插入一些自定义处理以将我的个人域的 DNS 转发到个人服务器,但将所有其他 DNS 处理保留为 Windows 的默认行为。有人有提示吗?
编辑:作为附录,应该注意,我正在寻找一个系统范围的解决方案,而不仅仅是 Firefox - 所讨论的连接是文件共享以及其他服务。
I'm looking for a way to customize the DNS resolution policy on Windows 7 as follows:
1) For certain private domains, the request should be forwarded to a secure server of my choosing (likely VPN-connected).
2) For all other requests, they should propagate as normal through the Windows DNS resolution system (i.e. the DNS servers from DHCP, in binding order, etc.)
The main impetus would be to protect this private domain from spoofing (for example, in case I connect to a friendly free-WiFi hotspot which kindly forwards all hostnames to some proxy, causing my private connection requests to be directed to Starbucks' gateway server, which is conveniently in a non-private IP block - thus passing through my firewall as well).
I've looked into a few solutions; the most promising seems to be running a personal configurable DNS forwarder on my system, with a kludge dummy adapter with 127.0.0.1 as a static DNS entry at the top of the binding list; this should force all DNS requests to pass through my forwarder, which can then filter and handle the private domain requests as necessary. The problem lies in handling the remaining requests; passing them back to the Windows DNS stack seems like it would just produce an infinite forwarding loop, and no implementation (as far as I know) has special functionality like collecting the DNS server entries from Windows DHCP (other than the dummy entry) and trying them one by one.
Letting the local forwarder stay silent seems like it may be a partial solution, since Windows will go on to try the other DNS servers; the worry is that Windows, in being "smart", may decide to skip the local forwarder on future requests as well; furthermore, there is the problem of incurring an ~2 second timeout on every new DNS request, which would be unfortunate. An NXDOMAIN response would not work, since this would be binding (i.e. Windows would not continue trying the remaining servers).
As a side note, unfortunately using a public DNS server (like OpenDNS, etc.) at the end of the chain also won't really work - as it happens, my laptop also connects to other private networks, which have their own private DNS servers and internal hostnames, served of course by DHCP - I want to avoid setting up a manual configuration for that as much as possible.
Also tried setting up DNSSEC for my domain, until I realized that Windows 7 nicely includes DNSSEC support, but not a verifier; since it simply follows the "authenticate" bit set by its local friendly DNS server, it clearly won't do much against a spoofer.
TLDR: I want to interject some custom handling to forward DNS for my personal domain to a personal server, but leave all other DNS handling with Windows' default behavior. Anyone have tips?
EDIT: As an addendum, should note that I'm looking for a system-wide solution, not just for Firefox - the connections in question are file shares, among other services.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
刚刚找到了答案 - Windows 7 和 Server 2008R2 显然都包含名称解析策略表,这是一个专门用于此目的的功能,用于指导和保护按域名(和/或前缀)过滤的 DNS 查询。我听说它支持通过域名启用 DNSSEC,但我没有发现它还支持直接访问策略(即指定一组特定的 DNS 服务器来查询特定域,这正是我正在寻找的)。刚刚测试,NRPT 策略结合相关防火墙设置会阻止域名,除非直接连接到专用网络。自我回答这个问题,但将信息留在这里供其他人参考(对于保护便携式计算机设备的人来说,这似乎是一个非常有用的功能)。
Found the answer just now - Windows 7 and Server 2008R2 apparently both contain the Name Resolution Policy Table, a feature intended for just this purpose, to direct and secure DNS queries filtered by domain name (and/or prefix). I had heard that it supported DNSSEC enabling by domain name, but I hadn't found out that it also supports direct access policy (i.e. specifying a specific set of DNS servers to query for particular domains, exactly what I'm looking for). Just tested, and the NRPT policy in combination with relevant firewall settings blocks off the domain names unless connected directly to the private network. Self-answering this, but leaving the information here for reference by others (seems like an amazingly useful feature for people securing portable computer equipment).