[Dnsmasq-discuss] Triggering a shell script when domain name resolved

Simon Kelley simon at thekelleys.org.uk
Fri Mar 20 20:47:47 GMT 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 20/03/15 16:28, F32 wrote:
> Hi everyone, I'm a Chinese user with Internet access polluted by
> the GFW (the Great Firewall of China). To visit, e.g., the sites
> of Google, I have to setup a proxy and then redirect related
> packets to the proxy server at 127.0.0.1. Currently, I configure
> something like the following on my OpenWRT router:
> 
> 
> 1. Add this line dnsmasq.conf (resolve Google's IP addresses via 
> 8.8.4.4) - server=/google.com/8.8.4.4 2. Add this line into the 
> firewall script (make sure that the DNS reply from 8.8.4.4 is not 
> polluted) - iptables -t nat -I PREROUTING -p udp -d 8.8.4.4/32 -j 
> REDIRECT --to-ports 8001 3. Add these lines into the firewall
> script (visit Google's sites via proxy; there're a lot of addresses
> to be included) - iptables -t nat -I PREROUTING -p tcp -d
> 173.194.127.0/24 -j REDIRECT --to-ports 8001 - iptables -t nat -I
> PREROUTING -p tcp -d 216.58.221.0/24 -j REDIRECT --to-ports 8001 -
> iptables ...
> 
> 4. Add this line into the firewall script (start the shadowsocks 
> proxy at 127.0.0.1) - ss-redir -s server -p server_port -k
> password -m encryption_method -l local_port(8001) &
> 
> It works, but I find that I have to update the IP address list
> every few weeks. Of course I can create a cron job that do this 
> automatically, something like:
> 
> 
> #!/bin/sh nslookup www.google.com > 01.log nslookup play.google.com
> > 02.log nslookup code.google.com > 03.log
> 
> ... awk -f process_nslookup_result.awk 01.log > ip_list.txt awk -f 
> process_nslookup_result.awk 02.log >> ip_list.txt awk -f 
> process_nslookup_result.awk 03.log >> ip_list.txt ... 
> update_iptables_rules.sh ip_list.txt
> 
> 
> A major problem of this scheme is that I have to create a lot of 
> similar domain items, and I cannot have *.google.com like the
> server option in dnsmasq.conf. To find out the second-level domains
> I have missed, some packet tracing is needed, which is rather
> boring for most users.
> 
> 
> Is there a way to solve this problem? If dnsmasq is able to export 
> the ip addersses of specified hosts (e.g., *.google.com) to a
> file, or to execute an external program when domain names resovled,
> I think that I will be able to find a better solution.

There's no facility to run an external program when a name is
resolved, bit you can use --log-queries to get all names which are
resolved into the log. Use --log-facility to make the dnsmasq log a
separate file. Some processing of the log file to extract the
information you want may well be possible.



Cheers,


Simon.

> 
> Sincerely Fengyu Gao
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss 
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlUMh3MACgkQKPyGmiibgrf6sQCfRW6Vo1k2JYwVcMfhRlk0Sni5
mFoAoI49w5hDeXxFv78WSE5oSOrVUw2z
=aDL0
-----END PGP SIGNATURE-----

More information about the Dnsmasq-discuss mailing list