[Dnsmasq-discuss] Triggering a shell script when domain name resolved

Hartmut Krafft hartmut at mail.ru
Sat Mar 21 11:00:31 GMT 2015 

On Sat, 21 Mar 2015 00:28:22 +0800 (CST)
F32 <feng32 at 163.com> wrote:

> Hi everyone,
>         I'm a Chinese user with Internet access polluted by the GFW
> (the Great Firewall of China). To visit, e.g., the sites of Google, I
> have to setup a proxy and then redirect related packets to the proxy
> server at 127.0.0.1. 
[snip]
> A major problem of this scheme is that I have to create a lot of
> similar domain items, and I cannot have *.google.com like the server
> option in dnsmasq.conf. To find out the second-level domains I have
> missed, some packet tracing is needed, which is rather boring for
> most users.
> 
> 
> Is there a way to solve this problem? If dnsmasq is able to export
> the ip addersses of specified hosts (e.g., *.google.com) to a file,
> or to execute an external program when domain names resovled, I think
> that I will be able to find a better solution.

I'm wondering if you couldn't use the ipset feature to achieve this?
I'm doing something similar (except for the name server part, which up
to now luckily is no problem where I live), namely run all traffic to
Google's servers over a tunnel to a remote host and not over my DSL
address.

In dsnsmasq.conf, I have

  ipset=/1e100.net/goo.gl/google.de/google.com/googleapis.com/google

(the last part is the ipset's name, before that, you see all the
domains of which the ip addresses should be added to the ipset.)

The ipset has to exist before restarting dnsmasq. So, create it using

# /usr/sbin/ipset create google hash:ip

(I added this to /etc/rc.local to make it persistent.)

$ sudo ipset -L

will show you the ip addresses that are currently in the set.

There is a redsocks connection over a ssl tunnel connected to the
remote host and listening on port 12345. This should be somewhat
similar to the shadowsocks system that you're using (of which I didn't
know till now).

The relevant iptables rules (formatted for iptables-restore) are
  # filter google addresses in ipset
  -A REDSOCKS_FILTER -m set --match-set google dst -p tcp -m tcp
 --dport  80 -j REDSOCKS
  -A REDSOCKS_FILTER -m set --match-set google dst -p tcp -m tcp --dport
 443 -j REDSOCKS
  # all others go back to the chain
  -A REDSOCKS_FILTER -j RETURN

  -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

That way, the firewall rules have direct and instant access to the ip
addresses that dnsmasq is getting from the name lookup.
I'm running this on a Raspberry Pi with Raspbian.
Of course, you need a version of dnsmasq supporting this feature (I'm
using 2.68, IIRC I had to compile it myself because the version in the
Raspbian repository was too old.)

Regards,
Hartmut
> 
> Sincerely
> Fengyu Gao

More information about the Dnsmasq-discuss mailing list