Implementing Per-Domain DNS Configuration in macOS Using Resolver Configuration Files
In macOS, managing network traffic is essential for a robust and secure IT infrastructure. The operating system allows users to have a granular level of control over Domain Name System (DNS) settings, improving network functionality. Today’s post will walk through setting up per-domain DNS configuration on macOS using resolver configuration files.
Adding a DNS Rule Per Domain
MacOS has a powerful feature that allows you to specify DNS servers for individual domains. This is accomplished by creating resolver configuration files in the /etc/resolver/
directory. Each file in this directory corresponds to a domain and specifies the DNS servers to be used for that domain.
Let’s add a DNS rule for the “ymbihq.local” domain:
- Open Terminal.
- Use the
sudo
command to create a new file in the/etc/resolver/
directory with the same name as your domain:
sudo bash -c 'echo "nameserver 10.0.0.1" > /etc/resolver/ymbihq.local'
This command will create a new resolver file named ymbihq.local
and adds a line specifying 10.0.0.1
as the nameserver. As a result, all DNS queries for “ymbihq.local” will be resolved by the DNS server at the IP address 10.0.0.1.
Reviewing DNS Rules
To verify that the resolver configuration file was created successfully and to review its content, use the cat
command:
cat /etc/resolver/ymbihq.local
This will output the contents of the ymbihq.local
file, which should look like this:
# Sample output:
nameserver 10.0.0.1
This confirms that the DNS server for the “ymbihq.local” domain has been set to 10.0.0.1
.
Removing a DNS Rule
If you need to remove a DNS rule, you can simply delete the corresponding resolver configuration file. Use the rm
command for this:
sudo rm /etc/resolver/ymbihq.local
After running this command, your macOS system will no longer have a custom DNS server set for the “ymbihq.local” domain, and it will default to using your standard DNS servers.
By creating and managing resolver configuration files, you can precisely control your DNS settings on a per-domain basis. This powerful feature of macOS allows you to optimize your network to fit your specific needs.
Implementing Per-Domain DNS Configuration in Windows Using PowerShell
The subtitle could be something like: Mastering DNS Client NRPT Rules with PowerShell
In today’s post, we will be looking at a compact, but powerful, the chunk of PowerShell code that allows us to interact with DNS Client Name Resolution Policy Table (NRPT) rules on a Windows machine. The commands in this code allow us to add, review, and remove rules, giving us control over the direction of our DNS traffic.
Adding a DNS Client NRPT Rule
Let’s take a look at the first command:
# add a Windows rule for ymbihq.local domain Add-DnsClientNrptRule -Namespace ".ymbihq.local" -NameServers "10.0.0.1"
This command uses the Add-DnsClientNrptRule
cmdlet to add a new rule for the “.ymbihq.local” namespace. The -Namespace
parameter specifies the domain name for the rule, and the -NameServers
parameter specifies the IP address of the DNS server that should be used for queries within this namespace.
In this instance, we’re setting a rule for any DNS queries under the “.ymbihq.local” domain to be resolved by the DNS server at the IP address 10.0.0.1. This can be especially useful in an enterprise environment where you have custom internal domains to be resolved by specific DNS servers.
Reviewing DNS Client NRPT Rules
After adding a rule, it’s essential to verify it. We can do this using the Get-DnsClientNrptRule
command:
# get the list of rules
Get-DnsClientNrptRule
This command lists all the NRPT rules currently set on the machine. It will output the unique identifiers, names, namespaces, and other details for each rule. Here’s a sample output:
# Sample output: Name : {A7CCF814-7492-4019-9FB1-27F61327AE93} Version : 2 Namespace : {.ymbihq.local} IPsecCARestriction : DirectAccessDnsServers : DirectAccessEnabled : False DirectAccessProxyType : DirectAccessProxyName : DirectAccessQueryIPsecEncryption : DirectAccessQueryIPsecRequired : NameServers : 10.0.0.1 DnsSecEnabled : False DnsSecQueryIPsecEncryption : DnsSecQueryIPsecRequired : DnsSecValidationRequired : NameEncoding : Disable DisplayName : Comment :
From this output, you can see various properties of the rule we’ve just added for the “.ymbihq.local” namespace, such as its unique identifier (Name) and the nameserver it’s associated with (NameServers).
Removing a DNS Client NRPT Rule
The final part of this block of code is dedicated to rule removal:
# remove the rule Remove-DnsClientNrptRule -Name "{A7CCF814-7492-4019-9FB1-27F61327AE93}"
Here, we use the Remove-DnsClientNrptRule
cmdlet with the -Name
parameter followed by the unique identifier of the rule we wish to remove. After running this command, PowerShell will prompt you for confirmation before deleting the rule.
The process looks like this:
Confirm Removing NRPT rule for namespace .ymbihq.local with DAEnable: Disabled, DnsSecValidationRequired: Disabled, NameEncoding: Disable NameServers: 10.0.0.1 Do you want to continue? [Y] Yes [N] No
Avui ja n’he fet 20
Aprofito aquesta entrada per comentar una nova efemèride s’ha produït avui mateix. Ja que després de 46 anys menys dos dies he visitat de nou l’hospital on vaig néixer. Aquest cop per fer-me unes radiografies a les cervicals. Qui ho havia de dir?
Deploying gotop with Ansible
Gotop is a terminal based graphical activity monitor inspired by gtop and vtop; it’s available at:
https://github.com/xxxserxxx/gotop/
I published a role in Ansible Galaxy for deploying gotop in Linux servers. The role page in Ansible Galaxy is at:
https://galaxy.ansible.com/oriolrius/install_gotop
Role installation command and deployment command:
ansible-galaxy install oriolrius.install_gotop
# change SERVER_IP, for the IP address where you want to deploy gotop
ansible -i SERVER_IP, -u root -m include_role -a name=oriolrius.install_gotop all
Get the IP addresses of local Docker containers
We have docker running and the containers have their own private network, thanks to this command we’re going to get the private IP address of all of them:
$ sudo docker inspect $(docker ps -q ) \
--format='{{ printf "%-50s" .Name}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}'
/zerotier
/ntp 10.3.10.8
/nodered 10.3.10.11
/n8n 10.3.10.4
/ssh 10.3.10.9
/code 10.3.10.7
/semaphore 10.3.10.6
/rproxy 10.3.10.2
/homer 10.3.10.10
/pihole 10.3.10.27
/pihole_googledns 10.3.10.24
/pihole_opendns 10.3.10.23
OpenSSH public key fingerprint
Quick and easy, how to get the fingerprint of your SSH RSA key.
# syntax:
openssl pkey -in PATH/PRIVATE_RSA_KEY -pubout -outform DER | openssl md5 -c
# example:
$ openssl pkey -in ~/.ssh/id_rsa -pubout -outform DER | openssl md5 -c
MD5(stdin)= a6:26:23:d9:c1:d3:d5:e5:c0:38:ab:3c:c1:6a:3f:ea