[Dnsmasq-discuss] Support for adding CNAME query result to IPSET

Simon Kelley simon at thekelleys.org.uk
Sat Sep 8 14:45:36 BST 2018 

No, that's a different problem. your target name "vpnin.swtk.info" is
coming from the DHCP subsystem, because you have a DHCP lease for a host
called "vpnin" and have set the domain to swtk.info.


It would be possible, to fix this, and may be even sensible, but it's
not the same that the OPs problem with CNAMES.

Given that when the result comes from DHCP, it's pretty much guaranteed
to be within the firewall, does it make sense to have such names checked
by the ipset system? Genuine question. I'm unsure what people are using
the ipsets facility for, so I don't know the answer.


Cheers,


Simon.

On 07/09/18 13:49, Wojtek Swiatek wrote:
> I incidentally have the same problem (I started to tackle ipset today).
> Taking your example:
> 
> root at srv ~# dnsmasq -d --log-queries --ipset=/vpnin.swtk.info/vpnin
> <http://vpnin.swtk.info/vpnin>
> dnsmasq: started, version 2.79 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6
> no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
> dnsmasq-dhcp: DHCP, IP range 10.200.0.1 -- 10.200.0.230, lease time 10d
> dnsmasq-dhcp: DHCP, IP range 10.10.10.1 -- 10.10.10.200, lease time 10d
> dnsmasq-dhcp: DHCP, IP range 10.1.1.1 -- 10.1.1.100, lease time 10d
> dnsmasq-dhcp: DHCP, IP range 10.100.20.1 -- 10.100.20.230, lease time 10d
> dnsmasq-dhcp: DHCP, IP range 10.100.10.1 -- 10.100.10.230, lease time 10d
> dnsmasq: using nameserver 8.8.4.4#53
> dnsmasq: using nameserver 1.1.1.1#53
> dnsmasq: read /etc/hosts - 8 addresses
> dnsmasq: query[A] vpnin.swtk.info <http://vpnin.swtk.info> from 127.0.0.1
> dnsmasq: DHCP vpnin.swtk.info <http://vpnin.swtk.info> is 10.200.0.2
> 
> the vpnin ipset is already created (and stays empty):
> 
> root at srv ~# ipset vpnin
> ipset v6.34: No command specified: unknown argument vpnin
> Try `ipset help' for more information.
> root at srv ~# ipset list vpnin
> Name: vpnin
> Type: hash:ip
> Revision: 4
> Header: family inet hashsize 1024 maxelem 65536
> Size in memory: 88
> References: 0
> Number of entries: 0
> Members:
> 
> 
> Cheers,
> Wojtek
> 
> 
> Le mar. 4 sept. 2018 à 01:21, Simon Kelley <simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>> a écrit :
> 
>     Are you sure? It seems to work for me.
> 
> 
> 
>     srk at holly:~/dnsmasq/dnsmasq$ src/dnsmasq -d -p 10000 --log-queries
>     --ipset=/www.comcast.com/test
>     dnsmasq: started, version 2.80test4 cachesize 150
>     dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
>     DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect
>     inotify dumpfile
>     dnsmasq: reading /etc/resolv.conf
>     dnsmasq: using nameserver 127.0.1.1#53
>     dnsmasq: read /etc/hosts - 8 addresses
>     dnsmasq: query[A] www.comcast.com from 127.0.0.1
>     dnsmasq: forwarded www.comcast.com to 127.0.1.1
>     dnsmasq: reply www.comcast.com is <CNAME>
>     dnsmasq: reply www.comcast.com.edgekey.net is <CNAME>
>     dnsmasq: ipset add test 2.22.99.93 e523.dscb.akamaiedge.net
>     dnsmasq: reply e523.dscb.akamaiedge.net is 2.22.99.93
> 
>     Cheers,
> 
>     Simon.
> 
> 
>     On 26/08/18 08:48, esinpublic-2012 at yahoo.com.hk wrote:
>     > Hi, 
>     >
>     > When running with the ipset configuration, e.g.
>     >
>     > ipset=/example.com/whitelist
>     >
>     >
>     > If the query result is a CNAME of differnet domain e.g.
>     >
>     > example.com.                                     
>     >  300  IN    CNAME  d123456789abcdefg.cloudfront.net.
>     > d123456789abcdefg.cloudfront.net.    60   
>     > IN    A            123.123.123.123
>     >
>     > The IP address 123.123.123.123 would not be added to the IPSET. May I
>     > ask if it is possible to have dnsmasq to add the final reolved ip into
>     > the ipset?
>     >
>     > Thank you!
>     >
>     >
>     > _______________________________________________
>     > Dnsmasq-discuss mailing list
>     > Dnsmasq-discuss at lists.thekelleys.org.uk
>     > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>     >
> 
> 
>     _______________________________________________
>     Dnsmasq-discuss mailing list
>     Dnsmasq-discuss at lists.thekelleys.org.uk
>     http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list