[Dnsmasq-discuss] Running a script after a resolution request

Simon Kelley simon at thekelleys.org.uk
Fri Mar 28 19:53:35 UTC 2014


On 28/03/14 13:26, Ronaldo Zacarias Afonso wrote:
> On 03/24/2014 06:08 PM, Simon Kelley wrote:
>> On 24/03/14 19:39, Ronaldo Zacarias Afonso wrote:
>>>     Hi everybody,
>>>
>>>     I'd like to know if it is possible to configure dnsmasq to execute a
>>> script after a name resolution request.
>>>
>>>     The ideia is having a script that updates a firewall each time
>>> someone asks for the resolution of www.somedomain.com.
>>>
>>>     Any help would be appreciated.
>>>
>>>     Thanks in advance ...
>>>
>> Would this serve to solve the problem?
>>
>> --ipset=/<domain>/[domain/]<ipset>[,<ipset>]
>>      Places the resolved IP addresses of queries for the specified
>>      domains in the specified netfilter ip sets. Domains
>>      and subdomains are matched in the same way as --address. These ip
>>      sets must already exist. See ipset(8) for  more details.
>>
>>
>> Cheers,
>>
>> Simon.
> 
>    Hi Simon,
> 
>    In fact, it worked partially.
> 
>    Now I need a way to "timeout" those ipset entries. It would be still 
> better if the timeout value was the same as the DNS A record dnsmasq 
> received when it queried the domaain.
> 

I'm not sure that the time-to-live value is a sensible thing to use
here. If the authoritative TTL of a domain is, for example, 600 seconds,
then when you make a query, you'll get a TTL of anything between 600
seconds and 1 second. The one second answer occurs if the recursive
nameserver queried the authoritative nameserver 559 seconds ago, and
cached the answer. Unless you're running a nameserver which will always
talk to the authoritative nameserver, there's no way to know what the
TTL is configured to. Dnsmasq doesn't talk directly to the authoritative
nameserver, so it can't tell you.


Cheers,


Simon.


>    For example:
> 
>    root at ronaldoafonso:~# dig www.ronaldoafonso.com.br -t a
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.ronaldoafonso.com.br -t a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32993
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;www.ronaldoafonso.com.br.    IN    A
> 
> ;; ANSWER SECTION:
> www.ronaldoafonso.com.br. 85223    IN    A    50.62.226.1
> 
> ;; AUTHORITY SECTION:
> ronaldoafonso.com.br.    85223    IN    NS    b.sec.dns.br.
> ronaldoafonso.com.br.    85223    IN    NS    c.sec.dns.br.
> 
> ;; ADDITIONAL SECTION:
> b.sec.dns.br.        89959    IN    A    200.192.232.11
> c.sec.dns.br.        89557    IN    A    200.189.40.11
> 
> ;; Query time: 1 msec
> ;; SERVER: 192.168.0.1#53(192.168.0.1)
> ;; WHEN: Fri Mar 28 10:04:21 2014
> ;; MSG SIZE  rcvd: 130
> 
>    The perfect timeout would be "85223" received for the A record.
> 
>    Is it possible?
> 
>    Thanks in advance ...
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 




More information about the Dnsmasq-discuss mailing list