[Dnsmasq-discuss] Support for adding CNAME query result to IPSET
Simon Kelley
simon at thekelleys.org.uk
Fri Sep 14 23:25:53 BST 2018
On 13/09/18 10:08, Wojtek Swiatek wrote:
>
>
> Le sam. 8 sept. 2018 à 15:45, Simon Kelley <simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>> a écrit :
>
> No, that's a different problem. your target name "vpnin.swtk.info
> <http://vpnin.swtk.info>" is
> coming from the DHCP subsystem, because you have a DHCP lease for a host
> called "vpnin" and have set the domain to swtk.info <http://swtk.info>.
>
>
> It would be possible, to fix this, and may be even sensible, but it's
> not the same that the OPs problem with CNAMES.
>
> Given that when the result comes from DHCP, it's pretty much guaranteed
> to be within the firewall, does it make sense to have such names checked
> by the ipset system? Genuine question. I'm unsure what people are using
> the ipsets facility for, so I don't know the answer.
>
>
> The real added value of ipset for me is the capacity to configure my
> firewall via names and not IPs.
> This is extremely useful for DHCP hosts (all of my hosts - mobiles,
> desktops, laptops and servers - are managed by dnsmasq's DHCP).
>
> Having the capacity to update an ipset from within dnsmasq (as the lease
> changes) would be great. The only alternative today is to
> manually set some hosts as infinite lease.
>
Even making DHCP-derived names part of the existing ipset system doesn't
seem to be a good solution to this. The ipset only gets updated when a
DNS lookup happens, not when the lease is created, and there definitely
isn't a way to remove ipset entries at all, which you'd need as leases
change.
What's needed is a different system, to populate ipsets based on the
DHCP lease database, and the dhcp-script system gives you the tools to
do exactly that. Any change to the DHCP lease database runs a process
(as root) which has access to the IP address, hostname, MAC address, and
anything else you might need. A suitable script can be written that
directly manipulates the relevant ipsets in any way you might want.
Cheers,
Simon
More information about the Dnsmasq-discuss
mailing list