[Dnsmasq-discuss] ipsets usability
Florent Fourcot
florent.fourcot at wifirst.fr
Fri Nov 13 08:23:14 GMT 2020
Hello,
ipset feature is working very well on dnsmasq. But it needs some fine
tuning I think.
>
> 1) The user adds a domain to the ipset (in dnsmasq config). If the
> domain is already cached on the client, IPs won't actually be added to
> the ipset (at least until the cache entry expires).
>
That is true. However, I do not see another solution. You can't control
client behavior. They can use another DNS server (or/and DoH to bypass
firewall redirections). If you want an instant deployment, you must
force dnsmasq to resolve DNS entries that you add (very hard if it's a
wildcard, of course). Or you can wait a little bit.
> 2) The user removes a domain from the ipset in dnsmasq config.
> Domain's IPs won't actually be removed from the ipset ever (until the
> user reboots the router, or something else flushes the ipset)
>
You probably should use "timeout" ipset option, when creating your
ipset. We are using dnsmasq ipset options on several thousands hosts and
we configure it like it:
* always create ipset with timeout option. Timeout value for IP
entries will be refreshed at each dnsmasq DNS resolution
* use max-cache-ttl dnsmasq option. You don't want to cache DNS
entries longer than timeout specified above.
> Should I maybe try to extend ipset-dns [1] instead of
> dnsmasq?
>
> [1] https://git.zx2c4.com/ipset-dns/
>
ipset-dns has same features (and limitations) than ipset dnsmasq option,
with a more complex architecture.
Best regards,
--
Florent Fourcot
More information about the Dnsmasq-discuss
mailing list