Reference Manual

DNS Flush

NAME

dnsrd - Interact with the DNS Resolver Daemon
SYNOPSIS
dnsrd [on flag] | off
dnsrd black|grey|white|special|local|ms|ios [name]
dnsrd clear black|white|grey|special|local|ms|ios [name]]
dnsrd client [ip [level [block]]]
dnsrd clear client [ip]
dnsrd get ip blocks
dnsrd get ip filters
dnsrd get ip pihole
dnsrd pihole [ip [on|off]]

dnsfd [on|off]
white [ifn [on | off | flag]]

 

...

DESCRIPTION

Command dnsrd starts or stops the DNS Resolver Daemon. Argument flag specifies whether NAT32 Name Resolution (2) or Windows Name Resolution (1) APIs are to be used. If flag is 0, only built-in names like nat32.box are checked.

The DNSRD supports a black-list of names that always resolve to the address of the NAT32 Honeypot. The names can be complete DNS domains (denoted by ^) or shorter substrings.

Example:

dnsrd black "^ws.microsoft.com" # Quotes required because of the ^ character

dnsrd black windows.microsoft.com

Exceptions can be specified in the white-list and always override strings in the black-list. The command white can be used to specify that only white-listed name requests from the specified interface are to be resolved. Special local names like nat32.box will always be resolved, except if a flag value of 2 is specified.

The DNSRD also supports a grey-list of names that always resolve to the address of the NAT32 Honeypot. For grey-listed names, all HTTPS access is blocked and HTTP content is fetched using NAT32's httpget command. Exceptions can be specified in the white-list and always override strings in the grey-list.

Example:

dnsrd black .ads

dnsrd white .org

The first rule will block names such as www.adserver.com but names such as www.adserver.org will be allowed because of the second rule.

The DNSRD also supports a list of names that must always use a special route to the Internet. This feature is useful for accessing sites that block content by geographical location. If a VPN connection to a server in a specific country is available, then all traffic to names in the special list will be forwarded via that VPN connection.

Example:

dnsrd special .bbc.

The command will cause all traffic to names containing the string ".bbc." to be forwarded via the NAT32 Auxiliary interface, which, in this case, would typically be a connection to a VPN Server in the UK.

Note that many such VPN Servers exist, and they can easily be found on the Internet. NAT32 has been tested with 12VPN.NET, a VPN Service that supports L2TP/IPsec connections to serveral servers in 9 different countries. Another highly-recommended VPN service is IPVanish and NAT32 has been adapted to fully support OpenVPN used by IPVanish and others.

NOTE: Users of Windows XP should ensure that the NDISWANIP adapter is at the top of the TCP/IP Binding List. Please see this Microsoft Support Page for details.

Names in the local list always resolve to the IP address of the interface on which the DNS request was received.

The DNSRD also supports HOSTS file lookup. To use this feature, please download the latest hosts.zip file and extract it to your NAT32 installation directory. The extracted hosts.ini file is an optimized version of the hosts.txt file freely available from the hosts-file.net site.

[10. Aug, 2020] Unfortunately, the above site no longer exists, but a backup version is available from this GitHub site.

After downloading, be sure to copy the all-hosts.txt file to hosts.txt in your NAT32v2 directory and then delete the existing hosts.ini file. NAT32 will then automatically generate a new hosts.ini file from the new hosts.txt file when next it runs.

The file is loaded into an internal, indexed table each time NAT32 starts. Any DNS request for a name contained in that table will quickly resolve to the NAT32 Honeypot address (usually 1.2.3.4). All machines, including the NAT32 machine itself, will then be safe from advertisements, malware, 3rd party cookies and other unwanted content. Web browsing speed will increase dramatically because unwanted content will never be downloaded to your machines. Be sure to update the hosts.ini file regularly.
Note that you do not need to modify the Windows HOSTS file in order to use the DNSRD's host-blocking features, nor do you need to modify the Windows DNS Client Service. In fact, turning off the Windows DNS Client Service will render the Microsoft Edge browser unusable on the Windows 10 platform.

Computers in the client list can have the following DNS checking levels:

Enable ALL checks  all = all checks
Enable LIST checks  list = check lists only
Enable HOSTS checks  host = check hosts.ini only
Disable ALL checks  none = no checks, nop = no operation

...

Users can modify their computer's current DNS checking level via the Control Panel.

Computers that have a DNS checking level specified in the dhcpd.ini file will be added to the client list whenever they request or refresh their configuration from the NAT32 DHCPD.

The DNSRD supports an additional blocking mechanism that is based on two block files (ms.txt and ios.txt). File ms.txt contains names to be blocked in order to prevent information leakage to Microsoft servers. File ios.txt contains names to be blocked in order to prevent information leakage to Apple servers.

Computers in the client list can have the following DNS blocking options:

Toggle Microsoft blocks  ms_toggle = toggle Microsoft blocks
Toggle Apple blocks  ios_toggle = toggle Apple blocks

...

Additional options include all_on and all_off to toggle both Microsoft and Apple blocks.

Computers in the client list can also have a PiHole flag set, in which case name resolution will be performed by the PiHole Server specified in the global variable phips.

NOTES

All names are checked for label length. The maximum label size can be specified via the environment variable dnsl and defaults to 40, although the maximum label length is 63.

DNS names that resolve to the NAT32 Honeypot address will be served content appropriate to the type of traffic that an application is requesting. For example, if a Web Client is requesting an image file, the Honeypot will return a small placeholder image. Similarly, if HTML or Javascript content is requested, small placeholder files will be returned.

This feature not only protects against malware but also significantly reduces network traffic.

If fully transparent DNS name resolution is required, a simple DNS Forwarder can be started with the commands: dnsfd on or wdnsd on (in Winsock mode). The DNSRD must be off in this case.

The white command should be used with caution, because name resolution will only take place for names listed in the white-list. Should a web page reference other names not in the white-list, the page might not be rendered correctly.

As of NAT32 Build 22346, a Honeypot Port 443 daemon is no longer started in file startup.txt. In addition, command setns e5 is used to instruct the DNSRD to report NXDOMAIN for blocked names. This means that clients attempting to resolve blocked names will receive a "Name does not exist" response.
SEE ALSO
DHCPD, Control Panel, dnsmap, firewall, HOSTS test, httpget, isolate, setns