[Dnsmasq-discuss] Ipset question

Hartmut Krafft hartmut at mail.ru
Tue Jan 14 16:01:50 GMT 2014

Dear all, I'm wondering about a limitation in the ipset option and if
there would be a way to get around it.

I'm using an ip set to get all IP adresses associated with a certain
domain 'www.domain.tld' to be able to redirect all traffic to certain
ports on these addresses through an ssh tunnel.

This basically works, but there's one stumbling point. The concerned
domain is set up in such a way that dns queries to 'domain.tld' resolve
to 'www.domain.tld'. But because of the way the ipset option works, I
seemingly cannot enter 'domain.tld' there without also matching all
subdomains associated to this domain, which is not what I want to

So, to get my tunnel redirection to work, I'd have to keep the users
off typing 'domain.tld' only in their browsers instead of
'www.domain.tld', which is not a very practicable idea imho.

So, I was wondering how it might be possible to achieve this, or if
maybe there could be added a way to make the ipset option less
'greedy', enabling one to tell dnsmasq to take the domain entry
literally (maybe by enclosing it in quotation marks)?

After all, a query to 'www.domain.tld' is as valid as a query to
'domain.tld' and it might not always be desirable to have this expand
to '*.domain.tld'.

Also, but this aside, I'd suggest the documentation about the
ipset options to be expanded regarding which type(s) of ip sets are
supported. (I've successfully used the hash:ip type, but I couldn't
find any indication beforehand if this (a) was the recommended type and
(b) if other types would also work (or not)).


More information about the Dnsmasq-discuss mailing list