Services

[How do I get my monowall box to be the ONLY dns resolver for blah.com and NOT go out to the internet to resolve DNS entries if the dns entry does not exist?]

let's say my domain is blah.com.  My monowall is setup as monowall.blah.com.  However, blah.com is resolvable on the internet.  Whenever I mistype a DNS entry on my internal domain the blah.com on the internet has something setup where anything that gets typed into a browser or via ping it is automatically resolvable.  For instance, say I type in monowal.blah.com to connect via http to my monowall box I get prompted with a generic domain splash page.  fortunately SSH/VNC/RDP does not connect if I mistype the address but naturally I'd rather not allow this.

How do I get my monowall box to be the ONLY dns resolver for blah.com and NOT go out to the internet to resolve DNS entries if the dns entry does not exist?

i tried to make my monowall box be the "Services: DNS forwarder: Edit Domain Override" for blah.com but it still seemed like monowall went out to the internet when the dns entries were not found for the "monowal.blah.com" addresses.

I tried adding a rule to deny all traffic (source: any, destination: specific ip, protocal any) to both IP addresses (it is either one or the other) that respond when I try to connect to the "monowal.blah.com" addresses.  Unfortunately the ping request just routed to a different IP so the request went through (and thus did not block all the traffic.)

Any help would be appreciated.  And yes, I suppose I could change my domain but there has gotta be a way to do this without doing so   Thanks!

In order for "Services: DNS forwarder: Edit Domain Override" to work, your PCs must use the m0n0wall LAN interface IP address for their DNS server specification. Do they?

yes.  dhcp hands out the DNS server and it is the LAN IP address of my monowall box.  when I added my domain override for "blah.com" I hit apply changes but did not reboot.  should I have rebooted?

Never hurts to reboot. Does it work after a reboot?

no, still did not work after reboot.  however, I solved it another way!  I added a DNS forwarder with the following details:

host: *
domain: blah.com
IP: 1.2.3.4

this basically just routes any traffic not already defined in my list of dns forwarders in my internal domain blah.com to an invalid IP address.  this accomplishes the goal I set out which was to avoid having random.blah.com DNS requests from going out to the internet.  I read about the potential solution here http://doc.m0n0.ch/handbook/faq-webfilter.html  I couldn't quite figure out the firewall part in order for the packets to timeout immediately (I tried both reject, block, tcp, udp, etc and never was able to get any of the requests (ping, icmp) nor DNS via web browser to time out immediately.  each firewall rule combinations I tried still took about 10 seconds for the browser to "sending request" and then eventually time out.

not really a big deal for me since my goal was to simply stop the requests from leaving the WAN but for someone who truly wants to "block" the monowall from serving those particular website domains would want their users to immediately get a time out rather than waiting the 10 seconds.

Change the IP from 1.2.3.4 to 127.0.0.1 and it will time out faster.

good call.  dns requests time out faster but naturally ping requests now show as "live" since it is responding via my loopback.  either case all is working as I'd like it.  thanks!