[Dnsmasq-discuss] Triggering a shell script when domain name resolved

F32 feng32 at 163.com
Fri Mar 20 16:28:22 GMT 2015 

Hi everyone,
        I'm a Chinese user with Internet access polluted by the GFW (the Great Firewall of China). To visit, e.g., the sites of Google, I have to setup a proxy and then redirect related packets to the proxy server at 127.0.0.1.
        Currently, I configure something like the following on my OpenWRT router:


        1. Add this line dnsmasq.conf (resolve Google's IP addresses via 8.8.4.4)
                - server=/google.com/8.8.4.4
        2. Add this line into the firewall script (make sure that the DNS reply from 8.8.4.4 is not polluted)
                - iptables -t nat -I PREROUTING -p udp -d 8.8.4.4/32 -j REDIRECT --to-ports 8001
        3. Add these lines into the firewall script (visit Google's sites via proxy; there're a lot of addresses to be included)
                - iptables -t nat -I PREROUTING -p tcp -d 173.194.127.0/24 -j REDIRECT --to-ports 8001
                - iptables -t nat -I PREROUTING -p tcp -d 216.58.221.0/24 -j REDIRECT --to-ports 8001
                - iptables ...

        4. Add this line into the firewall script (start the shadowsocks proxy at 127.0.0.1)
                - ss-redir -s server -p server_port -k password -m encryption_method -l local_port(8001) &

It works, but I find that I have to update the IP address list every few weeks. Of course I can create a cron job that do this automatically, something like:


        #!/bin/sh
        nslookup www.google.com > 01.log
        nslookup play.google.com > 02.log
        nslookup code.google.com > 03.log

        ...
        awk -f process_nslookup_result.awk 01.log > ip_list.txt
        awk -f process_nslookup_result.awk 02.log >> ip_list.txt 
        awk -f  process_nslookup_result.awk 03.log >> ip_list.txt
        ...
        update_iptables_rules.sh ip_list.txt


A major problem of this scheme is that I have to create a lot of similar domain items, and I cannot have *.google.com like the server option in dnsmasq.conf. To find out the second-level domains I have missed, some packet tracing is needed, which is rather boring for most users.


Is there a way to solve this problem? If dnsmasq is able to export the ip addersses of specified hosts (e.g., *.google.com) to a file, or to execute an external program when domain names resovled, I think that I will be able to find a better solution.

Sincerely
Fengyu Gao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150321/fee1dbc7/attachment-0001.html>

More information about the Dnsmasq-discuss mailing list