[Dnsmasq-discuss] Ipset question

Simon Kelley simon at thekelleys.org.uk
Fri Jan 17 13:26:49 GMT 2014


On 14/01/14 16:01, Hartmut Krafft wrote:
> Dear all, I'm wondering about a limitation in the ipset option and if
> there would be a way to get around it.
>
> I'm using an ip set to get all IP adresses associated with a certain
> domain 'www.domain.tld' to be able to redirect all traffic to certain
> ports on these addresses through an ssh tunnel.
>
> This basically works, but there's one stumbling point. The concerned
> domain is set up in such a way that dns queries to 'domain.tld' resolve
> to 'www.domain.tld'. But because of the way the ipset option works, I
> seemingly cannot enter 'domain.tld' there without also matching all
> subdomains associated to this domain, which is not what I want to
> achieve.
>
> So, to get my tunnel redirection to work, I'd have to keep the users
> off typing 'domain.tld' only in their browsers instead of
> 'www.domain.tld', which is not a very practicable idea imho.
>
> So, I was wondering how it might be possible to achieve this, or if
> maybe there could be added a way to make the ipset option less
> 'greedy', enabling one to tell dnsmasq to take the domain entry
> literally (maybe by enclosing it in quotation marks)?
>
> After all, a query to 'www.domain.tld' is as valid as a query to
> 'domain.tld' and it might not always be desirable to have this expand
> to '*.domain.tld'.
>
> Also, but this aside, I'd suggest the documentation about the
> ipset options to be expanded regarding which type(s) of ip sets are
> supported. (I've successfully used the hash:ip type, but I couldn't
> find any indication beforehand if this (a) was the recommended type and
> (b) if other types would also work (or not)).
>
> Regards,
> Hartmut
>
> __________

I don't think there's any way to do it with the existing code. Something 
like you suggest would be easy to add, but first I need to understand 
how www.domain.tld is being transformed to domain.tld. Is this a CNAME? 
I would if the ipset code is not handling CNAMES properly?


Cheers,

Simon.

_____________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>




More information about the Dnsmasq-discuss mailing list