[Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support
Jason A. Donenfeld
Jason at zx2c4.com
Thu Feb 14 18:50:48 GMT 2013
Hi Simon & Crew,
Services like YouTube and Netflix use tons of ranges of IP addresses
that fluctuate wildly and aren't predictable. However, they're always
from a given subdomain using DNS, like *.c.youtube.com. I'd like to
have firewall rules for these IP addresses -- route them over this
interface, that interface, rate limit them like this, or that, etc. An
efficient way to do this is by adding IP addresses to a netfilter
ipset and using iptables' ipset match support. With services that use
lots of IPs spread out over ranges but instead use DNS, the only way
to do this is to have the DNS forwarder add the resolved IPs to an
ipset before returning the IP to the client.
I've written ipset-dns, a super trivial DNS forwarder that's meant to
be plugged into dnsmasq's server=/.../ directive.
http://git.zx2c4.com/ipset-dns/about/
But forwarding one forwarder to another forwarder is ugly, and ideally
this functionality would just be plugged directly into dnsmasq:
dnsmasq.conf:
ipset=/c.youtube.com/netflix.com/vpnset
This would add all the IPs returned for those queries to the provided
ipset (vpnset in this case).
Is there much interest in this feature? Is it something you'd consider adding?
Thanks,
Jason Donenfeld
More information about the Dnsmasq-discuss
mailing list