Ask HN: Local hostnames without root/admin

I want to note that I mean to use such internal hostnames to reach services inside a VPN. If solutions such as IPsec or OpenVPN can somehow push and manifest host->IP correlations for the OS, as an alternative to pushing an additional DNS resolver living inside the VPN, that would also be a viable solution.

anything that could capture the traffic of another application outside of that application is likely gonna need super user privs. the ports it flows on need those to capture it, and running a program which could capture it also likely needs it.

that being said: more context would thus help. what application is making the request, and at what point do you expect to intercept or get that request? is that outside the same app or not?

edit: also, can you atleast set it up as root or does everything need to happen as user? (and the OS might also matter)

1. Buy domain for your service

2. Make wildcard record to point to 127.0.0.1

3. User can apply any.thing.here.yourcompanyinternal.xxx

  *.fbi.com

If your programs use glibc, it supports hosts overrides in an environment variable, forgot which.

You are probably running a resolver on the LAN already, in your router. Now you just have to login and add an entry.

You can use the linker to preload `nss_wrapper`[0] and overwrite anything using `nss`.

Here's an example:

  > cat hosts
  198.51.100.33 test.tld
  2001:db8::33 test.tld
  198.51.100.12 test4.tld
  2001:db8::12 test6.tld

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test.tld
  198.51.100.33   DGRAM  test.tld
  198.51.100.33   STREAM test.tld
  2001:db8::33    DGRAM
  2001:db8::33    STREAM

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test4.tld
  198.51.100.12   DGRAM  test4.tld
  198.51.100.12   STREAM test4.tld

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts getent ahosts test6.tld
  2001:db8::12    DGRAM  test6.tld
  2001:db8::12    STREAM test6.tld

  > LD_PRELOAD=/nix/store/sw2r0gpi9c9rsvqgvi4906yxh948ydsv-nss_wrapper-1.1.16/lib/libnss_wrapper.so NSS_WRAPPER_HOSTS=hosts curl -v test.tld
  * Host test.tld:80 was resolved.
  * IPv6: 2001:db8::33
  * IPv4: 198.51.100.33
  *   Trying [2001:db8::33]:80...
  *   Trying 198.51.100.33:80...

[0] https://cwrap.org/nss_wrapper.html

This feels like an X-Y problem. What's preventing you from running a local copy of Dnsmasq? It's really not difficult

Since you can't edit hosts, or setup a resolver, maybe bookmark directly the ips on your browser? I understand you asked for hostnames but given the context you might aswell internalize some local ips.

Depending on the details of your setup and precisely why you're attempting this, I would also recommend Avahi/Zeroconf (lets you type "$HOSTNAME.local" or simply populate some favorites/bookmarks on the client machines (typing the bookmark name will generally autocomplete).

> As noted in the ingress, the web browser is the primary application.

In Firefox, about:networking and about:networking#dns are the http cache and dns cache. I have never considered writing values to these directly. Could there be a method for doing so within the developer console? Perhaps someone knows.

There are replies in the below link that touch on it for Chrome. The top suggestion, however, is using a socks 5 proxy server as a workaround. https://superuser.com/questions/184643/override-dns-in-firef...

Perhaps you can enable a default local domain on your router? Openwrt certainly lets you choose a local domain and the router then replies to DNS requests for somehost.local names.

> think /etc/hosts, but without the requirement of superuser privileges.

It would help if you could expand on this. Is this a "don't want devs to need to mess with their boxes" thing, or a "we're doing shadow IT and can't run things the normal way" thing, or something else?

> Running a resolver locally, or within the LAN, falls outside the realm of "simple".

No, it really doesn't. A DNS server can be a single file binary pointed at a simple text file, optionally pointed directly at a hosts-format file. I suggest coredns personally but there are other options.

>without the requirement of superuser privileges

Like you want to be able to update it without su or that you cant access it at all?

Like you could have a cron running as root that updates etc/hosts every minute based on a userspace text document if you felt like it. It would be incredibly bad practice but I dont get the impression that this is a concern.

>Running a resolver locally, or within the LAN, falls outside the realm of "simple".

Running your own DNS server isnt simple? The standard Microsoft DHCP/DNS process is to take DHCP leases and turn them into DNS entries.

Part of the reason a lot of answers are going to challenge your simple requirements, is that theres a great deal of malware that would love to do what you want to do, and these systems are largely hardened to prevent it.

If this is for an application you want to deploy, I believe "Simple" for userspace, is quite complex to overcome all the things trying to prevent exactly this. My gut feeling is that this desire will evolve into a docker container with a DNS resolver, and just present some kind of interface for adding records. Then just pipe all your DNS requests through the container.

What about mDNS? A server on 5353 needednt be privileged….

https://github.com/Riant/host-switch-plus or --host-resolver-rules to chrome, FoxyProxy for Firefox.

You've excluded the answer. Running a local resolver is quite simple. One tiny process running with a single config file is going to be as simple as (if not more so) any other possible solution you'll find.