Reference Manual

NAME

dnsrd - Interact with the DNS Resolver Daemon
DNS Flush
SYNOPSIS
dnsrd [on|off [flag]]
dnsrd black|grey|white|special|local|ms|ios [name]
dnsrd clear black|white|grey|special|local|ms|ios [name]]
dnsrd client [ip [level [block]]]
dnsrd clear client [ip]
dnsfd [on|off]

 
...

DESCRIPTION

Command dnsrd starts or stops the DNS Resolver Daemon. Argument flag specifies whether NAT32 Name Resolution (2) or Windows Name Resolution (1) APIs are to be used. If flag is 0, only built-in names like nat32.box are checked.

The DNSRD supports a black-list of names that always resolve to the address of the NAT32 Honeypot. The names can be complete DNS domains (denoted by ^) or shorter substrings.

Example:

dnsrd black "^ws.microsoft.com" # Quotes required because of the ^ character

dnsrd black windows.microsoft.com

Exceptions can be specified in the white-list and always override strings in the black-list.

The DNSRD also supports a grey-list of names that always resolve to the address of the NAT32 Honeypot. For grey-listed names, all HTTPS access is blocked and HTTP content is fetched using NAT32's httpget command. Exceptions can be specified in the white-list and always override strings in the grey-list.

Example:

dnsrd black .ads

dnsrd white .org

The first rule will block names such as www.adserver.com but names such as www.adserver.org will be allowed because of the second rule.

The DNSRD also supports a list of names that must always use a special route to the Internet. This feature is useful for accessing sites that block content by geographical location. If a VPN connection to a server in a specific country is available, then all traffic to names in the special list will be forwarded via that VPN connection.

Example:

dnsrd special .bbc.

The command will cause all traffic to names containing the string ".bbc." to be forwarded via the NAT32 Auxiliary interface, which, in this case, would typically be a connection to a VPN Server in the UK.

Note that many such VPN Servers exist, and they can easily be found on the Internet. NAT32 has been tested with 12VPN.NET, a VPN Service that supports L2TP/IPsec connections to serveral servers in 9 different countries. Another highly-recommended VPN service is IPVanish and NAT32 has been adapted to fully support OpenVpn used by IPVanish and others.

NOTE: Users of Windows XP should ensure that the NDISWANIP adapter is at the top of the TCP/IP Binding List. Please see this Microsoft Support Page for details.

Names in the local list always resolve to the IP address of the interface on which the DNS request was received.

The DNSRD also supports HOSTS file lookup. To use this feature, please click here and unzip the file to your NAT32 installation directory. The hosts.ini file is an optimized version of the HOSTS file freely available from the hosts-file.net site. The file is loaded into an internal table each time NAT32 starts. Any DNS request for a name contained in that table will resolve to the NAT32 Honeypot address (usually 1.2.3.4). All machines, including the NAT32 machine itself, will then be safe from advertisements, malware, 3rd party cookies, and other unwanted content. In addition, web browsing speed will increase dramatically because unwanted content will never be downloaded to your machines. Be sure to update the hosts.ini file regularly.

Note that you do not need to modify the Windows HOSTS file in order to use the DNSRD's host-blocking features, nor do you need to modify the Windows DNS Client Service. In fact, turning off the Windows DNS Client Service will render the Microsoft Edge browser unusable on Windows 10 platforms.

Computers in the client list can have the following DNS checking levels:

Enable ALL checks  all = all checks
Enable LIST checks  list = check lists only
Enable HOSTS checks  host = check hosts.ini only
Disable ALL checks  none = no checks, nop = no operation

...

Users can modify their computer's current DNS checking level via this page.

Computers that have a DNS checking level specified in the dhcpd.ini file will be added to the client list whenever they request or refresh their configuration from the NAT32 DHCPD.

The DNSRD supports an additional blocking mechanism that is based on two block files (ms.txt and ios.txt). File ms.txt contains names to be blocked in order to prevent information leakage to Microsoft servers. File ios.txt contains names to be blocked in order to prevent information leakage to Apple servers.

Computers in the client list can have the following DNS blocking options:

Toggle Microsoft blocks  ms_toggle = toggle Microsoft blocks
Toggle Apple blocks  ios_toggle = toggle Apple blocks

...

Additional options include all_on and all_off to toggle both Microsoft and Apple blocks.

NOTES

All names are checked for label length. The maximum label size can be specified via the environment variable dnsl and defaults to 40, although the maximum label length is 63.

DNS names that resolve to the NAT32 Honeypot address will be served content appropriate to the type of traffic that an application is requesting. For example, if a Web Client is requesting an image file, the Honeypot will return a small placeholder image. Similarly, if HTML or Javascript content is requested, small placeholder files will be returned.

This feature not only protects against malware but also significantly reduces network traffic.

If fully transparent DNS name resolution is required, a simple DNS Forwarder can be started with the commands: dnsfd on or wdnsd on (in Winsock mode). The DNSRD must be off in this case.

SEE ALSO
DHCPD, Control Panel, dnsmap, firewall, HOSTS test, httpget, setns