[Dnsmasq-discuss] URIBL_BLOCKED with dnsmasq and server options

Jelle de Jong jelledejong at powercraft.nl
Tue Aug 30 19:09:33 UTC 2022 

On 8/30/22 17:41, Buck Horn wrote:
> 
> On 18.08.22 11:08, Jelle de Jong wrote:
>  >
>  > I understand dnsmasq is an forwarding dns server and I was wondering
>  > if there is a way to configure it to do dns lookups using it own IP
>  > external address instead of the server forwarders, maybe just for 
> URIBL lookups ...
> 
> 
> It isn't entirely clear to me what you are trying to achieve.
> 
> Your suggestion sounds as if you'd want your dnsmasq to use its own 
> external IP address instead of a public DNS resolver as an upstream 
> forward target. I wouldn't recommend that, as that would close a DNS loop.
> 
> But since you mention URIBL:
> Maybe you are just looking for a way to avoid being rate-limited or 
> outright blocked when doing URIBL lookups via a public resolver?
> 
> If that's the case, and if your network's URIBL.COM DNS query volume is 
> low, it should be easy enough to configure dnsmasq to send specifically 
> those DNS requests to one of their public DNS mirrors, as mentioned in: 
> https://uribl.com/about.shtml
> 
> dnsmasq's *server* option is likely what you need, and it's well 
> explained at
> https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
> 
> You could start by giving the following line a try:
> server=/uribl.com/<URIBL DNS mirror here>
> 
> Substitute <URIBL DNS mirror here> with a respective IP address of one 
> of URIBL's DNS mirrors.
> Note that URIBL qualifies those mirrors for usage by 'low volume end 
> users'.
> 
> If that isn't what you are aiming for, please elaborate your original 
> problem.
> 
> Regards,
>      Buck
> 

I tried this, but that is not working, as expected as the mirrors are 
not DNS resolving mirrors but just alternatives for uribl.com as far as 
I can see.

server=/uribl.com/ff.uribl.com
server=/uribl.com/54.153.32.255

However Eric Fahlgren suggested unbound.

So I setup dnsmasq with only one server:

server=127.0.0.1#533

and ran unbound with the following config:

server:
port: 533
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
interface: 127.0.0.1
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
access-control: 127.0.0.0/8 allow
username: unbound
directory: "/etc/unbound"
logfile: "/var/log/unbound.log"
use-syslog: no
hide-version: yes
so-rcvbuf: 4m
so-sndbuf: 4m
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
remote-control:
control-enable: yes
control-port: 953
control-interface: 127.0.0.1

This seems to be working! and my URIBL request are not blocked any-more!

What would be a better port then 533 for a localhost only DNS service... 
is there something like 8080 for DNS just 5353 is mdns. What do people use?

# getent services domain-alt
# getent services dns-alt
# getent services 5353
mdns                  5353/udp

Kind regards,

Jelle de Jong

More information about the Dnsmasq-discuss mailing list