[Dnsmasq-discuss] Ipset question

Hartmut Krafft hartmut at mail.ru
Sat Jan 18 09:35:45 GMT 2014

On Fri, 17 Jan 2014 13:26:49 +0000
Simon Kelley <simon at thekelleys.org.uk> wrote:

> On 14/01/14 16:01, Hartmut Krafft wrote:
> > Dear all, I'm wondering about a limitation in the ipset option and
> > if there would be a way to get around it.
> >
> > I'm using an ip set to get all IP adresses associated with a certain
> > domain 'www.domain.tld' to be able to redirect all traffic to
> > certain ports on these addresses through an ssh tunnel.
> >
> > This basically works, but there's one stumbling point. The concerned
> > domain is set up in such a way that dns queries to 'domain.tld'
> > resolve to 'www.domain.tld'. But because of the way the ipset
> > option works, I seemingly cannot enter 'domain.tld' there without
> > also matching all subdomains associated to this domain, which is
> > not what I want to achieve.
> >
> > So, to get my tunnel redirection to work, I'd have to keep the users
> > off typing 'domain.tld' only in their browsers instead of
> > 'www.domain.tld', which is not a very practicable idea imho.
> >
> > So, I was wondering how it might be possible to achieve this, or if
> > maybe there could be added a way to make the ipset option less
> > 'greedy', enabling one to tell dnsmasq to take the domain entry
> > literally (maybe by enclosing it in quotation marks)?
> >
> > After all, a query to 'www.domain.tld' is as valid as a query to
> > 'domain.tld' and it might not always be desirable to have this
> > expand to '*.domain.tld'.
> >
> > Also, but this aside, I'd suggest the documentation about the
> > ipset options to be expanded regarding which type(s) of ip sets are
> > supported. (I've successfully used the hash:ip type, but I couldn't
> > find any indication beforehand if this (a) was the recommended type
> > and (b) if other types would also work (or not)).
> >
> > Regards,
> > Hartmut
> >
> > __________
> I don't think there's any way to do it with the existing code.
> Something like you suggest would be easy to add, but first I need to
> understand how www.domain.tld is being transformed to domain.tld. Is
> this a CNAME?

When I do a lookup with dig, type ANY, the response does not show CNAME
answers, only A records. Both queries resolve to an overlapping bunch of
IP adresses that seem to be a variable subset of a certain ip subnet.
I think the transition is done on the level of the web servers.

> I would if the ipset code is not handling CNAMES
> properly?

I don't think so, as there don't seem to be CNAMEs involved. But I have
to admit that I've got only limited knowledge of the internal workings
of the DNS system (and try to be learning while moving along).

Regards, Hartmut

[Sorry for accidentally sending a prior answer to Simon's address.
Simon: If you find it, it does contain more details about the actual
domain I'm trying to work with.]

> Cheers,
> Simon.

More information about the Dnsmasq-discuss mailing list