[Dnsmasq-discuss] feature request : NXDOMAIN all domains on network

[Simon Kelley]

On 19/03/2021 16:23, dnsmasqlist2021 at rscubed.com wrote:
> 
> On Fri, 19 Mar 2021, James Feeney wrote:
> 
>> On 3/17/21 7:19 PM, dnsmasqlist2021 at rscubed.com wrote:
>>>>> I would like to use it with the spamhaus DROP list (A list of bad
>>>>> network blocks) to make all domains (known and currently unknown) on
>>>>> those networks disappear.
>>
>> Hmm - how do you actually configure this?  Do you dynamically generate
>> /etc/dnsmasq.conf, derived using the spamhaus DROP list?
>>
>> Could --ignore-address= and --bogus-nxdomain= be made to accept a file
>> name or file names of a file or files containing a list of CIDR
>> network ip addresses? Perhaps --ignore-address-file= and
>> --bogus-nxdomain-file= ?
>>
>> James
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>>
> 
> 
> I am just going to do it dynamically with a script once a day...
> 
> Something like :
> 
> links -source https://www.spamhaus.org/drop/drop.txt |
>   grep -v '^;' |
>   grep -Eo
> '^[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[/][0-9]{1,2}' |
>   awk '{print "bogus-nxdomain="$0}' > /etc/dnsmasq.d/SpamhausDROP.conf
> 
> I personally like the bogus-nxdomain better as it seems to return
> immediately and ignore-address seems to timeout.


That seems a sensible way to do it. Use bogus-nxdomain. ignore-address
is meant to timeout. It's countermeasures for censorship where the GFOC
or similar injects bad answers to lookups of suspect domains. By
ignoring those, the port stays open to accept the later, real, answer.

Simon.

> 
> Matt
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>