Ask HN: Local hostnames without root/admin

13 points by terry_hc 241 days ago | 32 comments

I'm looking for a simple way to locally define hostnames for internal use, think /etc/hosts, but without the requirement of superuser privileges. Running a resolver locally, or within the LAN, falls outside the realm of "simple". The subject is primarily the web browser, so a clever browser extension for Firefox and/or Chromium would work great. If resolution could also happen outside the browser that would be a nice bonus.

Thankful for any suggestions.

denkmoon 238 days ago |

You've excluded the answer. Running a local resolver is quite simple. One tiny process running with a single config file is going to be as simple as (if not more so) any other possible solution you'll find.

WarOnPrivacy 241 days ago |

> As noted in the ingress, the web browser is the primary application.

In Firefox, about:networking and about:networking#dns are the http cache and dns cache. I have never considered writing values to these directly. Could there be a method for doing so within the developer console? Perhaps someone knows.

There are replies in the below link that touch on it for Chrome. The top suggestion, however, is using a socks 5 proxy server as a workaround. https://superuser.com/questions/184643/override-dns-in-firef...

yjftsjthsd-h 238 days ago |

> think /etc/hosts, but without the requirement of superuser privileges.

It would help if you could expand on this. Is this a "don't want devs to need to mess with their boxes" thing, or a "we're doing shadow IT and can't run things the normal way" thing, or something else?

> Running a resolver locally, or within the LAN, falls outside the realm of "simple".

No, it really doesn't. A DNS server can be a single file binary pointed at a simple text file, optionally pointed directly at a hosts-format file. I suggest coredns personally but there are other options.

2bluesc 237 days ago |

You can use the linker to preload `nss_wrapper`[0] and overwrite anything using `nss`.

Here's an example:

  > cat hosts
  198.51.100.33 test.tld
  2001:db8::33 test.tld
  198.51.100.12 test4.tld
  2001:db8::12 test6.tld

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test.tld
  198.51.100.33   DGRAM  test.tld
  198.51.100.33   STREAM test.tld
  2001:db8::33    DGRAM
  2001:db8::33    STREAM

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test4.tld
  198.51.100.12   DGRAM  test4.tld
  198.51.100.12   STREAM test4.tld

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test6.tld
  2001:db8::12    DGRAM  test6.tld
  2001:db8::12    STREAM test6.tld

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts curl -v test.tld
  * Host test.tld:80 was resolved.
  * IPv6: 2001:db8::33
  * IPv4: 198.51.100.33
  *   Trying [2001:db8::33]:80...
  *   Trying 198.51.100.33:80...

[0] https://cwrap.org/nss_wrapper.html

protocolture 238 days ago |

>without the requirement of superuser privileges

Like you want to be able to update it without su or that you cant access it at all?

Like you could have a cron running as root that updates etc/hosts every minute based on a userspace text document if you felt like it. It would be incredibly bad practice but I dont get the impression that this is a concern.

>Running a resolver locally, or within the LAN, falls outside the realm of "simple".

Running your own DNS server isnt simple? The standard Microsoft DHCP/DNS process is to take DHCP leases and turn them into DNS entries.

Part of the reason a lot of answers are going to challenge your simple requirements, is that theres a great deal of malware that would love to do what you want to do, and these systems are largely hardened to prevent it.

If this is for an application you want to deploy, I believe "Simple" for userspace, is quite complex to overcome all the things trying to prevent exactly this. My gut feeling is that this desire will evolve into a docker container with a DNS resolver, and just present some kind of interface for adding records. Then just pipe all your DNS requests through the container.

simpaticoder 238 days ago |

You are probably running a resolver on the LAN already, in your router. Now you just have to login and add an entry.

urbandw311er 238 days ago | |

This is the correct answer. You can’t have a DNS resolver without, er, using a DNS resolver.

galaxy_gas 238 days ago |

1. Buy domain for your service

2. Make wildcard record to point to 127.0.0.1

3. User can apply any.thing.here.yourcompanyinternal.xxx

g4cg54g54 238 days ago | |

https://en.wikipedia.org/wiki/DNS_rebinding protection will stop this from working "hopefully" ;)

but `--host-resolver-rules` may work, https://chromium.googlesource.com/chromium/src/+/main/net/ba... @terry_hc

bawolff 238 days ago | | |

> https://en.wikipedia.org/wiki/DNS_rebinding protection will stop this from working "hopefully" ;)

Does anyone actually ban 127 resolution to stop dns rebinding? I feel like that would probably break a lot of things while not actually preventing dns rebinding.

DougN7 238 days ago | |

_Someone_ must have already done this, right?

galaxy_gas 238 days ago | | |

Only your domain ! You would not want to use other people. They can see what you request from their DNS server. Since they own the domain they can also get valid certificate ..

Look they are requesting owa.mydomain Why don't I replace it with internet accessible phishing for outlook page ? Why it's bad idea

NationOfJoe 238 days ago | | |

*.lndo.site 127.0.0.1

This domain is used by https://lando.dev/ which is a docker/docker-compose wrapper for local development.

pacifika 238 days ago | | |

Would it be a problem to disclose it, in terms of it getting shutdown?

k1t 238 days ago | | |

  *.fbi.com

ogig 238 days ago |

Since you can't edit hosts, or setup a resolver, maybe bookmark directly the ips on your browser? I understand you asked for hostnames but given the context you might aswell internalize some local ips.

ranger207 238 days ago |

This feels like an X-Y problem. What's preventing you from running a local copy of Dnsmasq? It's really not difficult

terry_hc 241 days ago |

I want to note that I mean to use such internal hostnames to reach services inside a VPN. If solutions such as IPsec or OpenVPN can somehow push and manifest host->IP correlations for the OS, as an alternative to pushing an additional DNS resolver living inside the VPN, that would also be a viable solution.

LorenDB 238 days ago | |

Tailscale is very easy to set up and provides resolvable hostnames (at an OS level) for all connected devices.

Cheer2171 238 days ago | | |

Tailscale requires superuser/admin

Poiesis 238 days ago |

Depending on the details of your setup and precisely why you're attempting this, I would also recommend Avahi/Zeroconf (lets you type "$HOSTNAME.local" or simply populate some favorites/bookmarks on the client machines (typing the bookmark name will generally autocomplete).

moondev 238 days ago |

https://nip.io/

lucgommans 238 days ago | |

Or if you need records other than A/AAAA, like MX for delivering email: https://anyz.one

e.g. 10.2.3.4.anyz.one will refer the recursive resolver to query 10.2.3.4 for the answer to the query. You can also buy a domain and configure it to do that, but this is quicker

Disclosure: I wrote anyzone

fragmede 237 days ago |

https://github.com/Riant/host-switch-plus or --host-resolver-rules to chrome, FoxyProxy for Firefox.

sim7c00 241 days ago |

anything that could capture the traffic of another application outside of that application is likely gonna need super user privs. the ports it flows on need those to capture it, and running a program which could capture it also likely needs it.

that being said: more context would thus help. what application is making the request, and at what point do you expect to intercept or get that request? is that outside the same app or not?

edit: also, can you atleast set it up as root or does everything need to happen as user? (and the OS might also matter)

terry_hc 241 days ago | |

As noted in the ingress, the web browser is the primary application. It must work for an end-user lacking the technical facilities or even sufficient administrative access to install a resolver or edit the system's hosts file. A browser extension would be a great solution.

drpixie 238 days ago |

Perhaps you can enable a default local domain on your router? Openwrt certainly lets you choose a local domain and the router then replies to DNS requests for somehost.local names.

GoblinSlayer 238 days ago |

If your programs use glibc, it supports hosts overrides in an environment variable, forgot which.

2bluesc 237 days ago | |

`HOSTALIASES` lets you alias hostnames, but not map hostnames to IPs.

Docs at `man gethostbyname`

https://man7.org/linux/man-pages/man3/gethostbyname.3.html

BobbyTables2 234 days ago |

What about mDNS? A server on 5353 needednt be privileged….

> cat hosts 198.51.100.33 test.tld 2001:db8::33 test.tld 198.51.100.12 test4.tld 2001:db8::12 test6.tld > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test.tld 198.51.100.33 DGRAM test.tld 198.51.100.33 STREAM test.tld 2001:db8::33 DGRAM 2001:db8::33 STREAM > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test4.tld 198.51.100.12 DGRAM test4.tld 198.51.100.12 STREAM test4.tld > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test6.tld 2001:db8::12 DGRAM test6.tld 2001:db8::12 STREAM test6.tld > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts curl -v test.tld * Host test.tld:80 was resolved. * IPv6: 2001:db8::33 * IPv4: 198.51.100.33 * Trying [2001:db8::33]:80... * Trying 198.51.100.33:80...