Here’s the situation: you’ve got a nice hardened dns resolver setup which prevents dns resolution of unsavory server addresses. But what happens when you really, really really need to access one of them?
I had to face this prospect with analytics.google.com. When going to the website, i get:
As far as my system is concerned, analytics.google.com simply does not exist (there’s even an RFC about NXDOMAIN meaning that).
What we really need is a way to run a browser with a non-restricted dns resolver. I would use this (untrusted) environment to open the one website I need to access, and then terminate the environment when I’m done.
So let’s bring the environment up with this Vagrantfile:
Vagrant.configure("2") do |config|
config.vm.box = "ubuntu/bionic64"
config.vm.provision "shell", inline: <<-SHELL
apt-get update
apt-get install -y firefox
rm /etc/resolv.conf
echo "nameserver 9.9.9.9" > /etc/resolv.conf
SHELL
end
So there you have it, a browser vm you can bring up using:
vagrant up
then a browser you can start using:
vagrant ssh -- -X firefox
visit the untrusted site, do your thing, and finally:
vagrant destroy
You can now visit websites you don’t trust, and clean up after yourself.