<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">Le sam. 8 sept. 2018 à 15:45, Simon Kelley <<a href="mailto:simon@thekelleys.org.uk">simon@thekelleys.org.uk</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">No, that's a different problem. your target name "<a href="http://vpnin.swtk.info" rel="noreferrer" target="_blank">vpnin.swtk.info</a>" is<br>
coming from the DHCP subsystem, because you have a DHCP lease for a host<br>
called "vpnin" and have set the domain to <a href="http://swtk.info" rel="noreferrer" target="_blank">swtk.info</a>.<br>
<br>
<br>
It would be possible, to fix this, and may be even sensible, but it's<br>
not the same that the OPs problem with CNAMES.<br>
<br>
Given that when the result comes from DHCP, it's pretty much guaranteed<br>
to be within the firewall, does it make sense to have such names checked<br>
by the ipset system? Genuine question. I'm unsure what people are using<br>
the ipsets facility for, so I don't know the answer.<br></blockquote><div><br></div><div>The real added value of ipset for me is the capacity to configure my firewall via names and not IPs. </div><div>This is extremely useful for DHCP hosts (all of my hosts - mobiles, desktops, laptops and servers - are managed by dnsmasq's DHCP).</div><div><br></div><div>Having the capacity to update an ipset from within dnsmasq (as the lease changes) would be great. The only alternative today is to </div><div>manually set some hosts as infinite lease.</div><div><br></div><div>Cheers,</div><div>Wojtek</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 07/09/18 13:49, Wojtek Swiatek wrote:<br>
> I incidentally have the same problem (I started to tackle ipset today).<br>
> Taking your example:<br>
> <br>
> root@srv ~# dnsmasq -d --log-queries --ipset=/<a href="http://vpnin.swtk.info/vpnin" rel="noreferrer" target="_blank">vpnin.swtk.info/vpnin</a><br>
> <<a href="http://vpnin.swtk.info/vpnin" rel="noreferrer" target="_blank">http://vpnin.swtk.info/vpnin</a>><br>
> dnsmasq: started, version 2.79 cachesize 150<br>
> dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6<br>
> no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify<br>
> dnsmasq-dhcp: DHCP, IP range 10.200.0.1 -- 10.200.0.230, lease time 10d<br>
> dnsmasq-dhcp: DHCP, IP range 10.10.10.1 -- 10.10.10.200, lease time 10d<br>
> dnsmasq-dhcp: DHCP, IP range 10.1.1.1 -- 10.1.1.100, lease time 10d<br>
> dnsmasq-dhcp: DHCP, IP range 10.100.20.1 -- 10.100.20.230, lease time 10d<br>
> dnsmasq-dhcp: DHCP, IP range 10.100.10.1 -- 10.100.10.230, lease time 10d<br>
> dnsmasq: using nameserver 8.8.4.4#53<br>
> dnsmasq: using nameserver 1.1.1.1#53<br>
> dnsmasq: read /etc/hosts - 8 addresses<br>
> dnsmasq: query[A] <a href="http://vpnin.swtk.info" rel="noreferrer" target="_blank">vpnin.swtk.info</a> <<a href="http://vpnin.swtk.info" rel="noreferrer" target="_blank">http://vpnin.swtk.info</a>> from 127.0.0.1<br>
> dnsmasq: DHCP <a href="http://vpnin.swtk.info" rel="noreferrer" target="_blank">vpnin.swtk.info</a> <<a href="http://vpnin.swtk.info" rel="noreferrer" target="_blank">http://vpnin.swtk.info</a>> is 10.200.0.2<br>
> <br>
> the vpnin ipset is already created (and stays empty):<br>
> <br>
> root@srv ~# ipset vpnin<br>
> ipset v6.34: No command specified: unknown argument vpnin<br>
> Try `ipset help' for more information.<br>
> root@srv ~# ipset list vpnin<br>
> Name: vpnin<br>
> Type: hash:ip<br>
> Revision: 4<br>
> Header: family inet hashsize 1024 maxelem 65536<br>
> Size in memory: 88<br>
> References: 0<br>
> Number of entries: 0<br>
> Members:<br>
> <br>
> <br>
> Cheers,<br>
> Wojtek<br>
> <br>
> <br>
> Le mar. 4 sept. 2018 à 01:21, Simon Kelley <<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a><br>
> <mailto:<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>>> a écrit :<br>
> <br>
> Are you sure? It seems to work for me.<br>
> <br>
> <br>
> <br>
> srk@holly:~/dnsmasq/dnsmasq$ src/dnsmasq -d -p 10000 --log-queries<br>
> --ipset=/<a href="http://www.comcast.com/test" rel="noreferrer" target="_blank">www.comcast.com/test</a><br>
> dnsmasq: started, version 2.80test4 cachesize 150<br>
> dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN<br>
> DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect<br>
> inotify dumpfile<br>
> dnsmasq: reading /etc/resolv.conf<br>
> dnsmasq: using nameserver 127.0.1.1#53<br>
> dnsmasq: read /etc/hosts - 8 addresses<br>
> dnsmasq: query[A] <a href="http://www.comcast.com" rel="noreferrer" target="_blank">www.comcast.com</a> from 127.0.0.1<br>
> dnsmasq: forwarded <a href="http://www.comcast.com" rel="noreferrer" target="_blank">www.comcast.com</a> to 127.0.1.1<br>
> dnsmasq: reply <a href="http://www.comcast.com" rel="noreferrer" target="_blank">www.comcast.com</a> is <CNAME><br>
> dnsmasq: reply <a href="http://www.comcast.com.edgekey.net" rel="noreferrer" target="_blank">www.comcast.com.edgekey.net</a> is <CNAME><br>
> dnsmasq: ipset add test 2.22.99.93 <a href="http://e523.dscb.akamaiedge.net" rel="noreferrer" target="_blank">e523.dscb.akamaiedge.net</a><br>
> dnsmasq: reply <a href="http://e523.dscb.akamaiedge.net" rel="noreferrer" target="_blank">e523.dscb.akamaiedge.net</a> is 2.22.99.93<br>
> <br>
> Cheers,<br>
> <br>
> Simon.<br>
> <br>
> <br>
> On 26/08/18 08:48, <a href="mailto:esinpublic-2012@yahoo.com.hk" target="_blank">esinpublic-2012@yahoo.com.hk</a> wrote:<br>
> > Hi, <br>
> ><br>
> > When running with the ipset configuration, e.g.<br>
> ><br>
> > ipset=/<a href="http://example.com/whitelist" rel="noreferrer" target="_blank">example.com/whitelist</a><br>
> ><br>
> ><br>
> > If the query result is a CNAME of differnet domain e.g.<br>
> ><br>
> > <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>. <br>
> > 300 IN CNAME <a href="http://d123456789abcdefg.cloudfront.net" rel="noreferrer" target="_blank">d123456789abcdefg.cloudfront.net</a>.<br>
> > <a href="http://d123456789abcdefg.cloudfront.net" rel="noreferrer" target="_blank">d123456789abcdefg.cloudfront.net</a>. 60 <br>
> > IN A 123.123.123.123<br>
> ><br>
> > The IP address 123.123.123.123 would not be added to the IPSET. May I<br>
> > ask if it is possible to have dnsmasq to add the final reolved ip into<br>
> > the ipset?<br>
> ><br>
> > Thank you!<br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Dnsmasq-discuss mailing list<br>
> > <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> > <a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
> ><br>
> <br>
> <br>
> _______________________________________________<br>
> Dnsmasq-discuss mailing list<br>
> <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
> <br>
<br>
</blockquote></div></div>