[Dnsmasq-discuss] Example for connmark based filtering

Uwe Schindler uwe at thetaphi.de
Sun Aug 18 11:42:10 UTC 2024 

Hi Geert,

thanks, all fine. I was in a bit of hurry yesterday, so my original post 
may not have all relevant information.

>> I know there is the feature to reject DNS queries from hosts based on
>> marking the connection with iptables. I tried to set this up for some
>> specific radio device which has a buggy weather.com webservice api
>> that crashes on broken results. I know if I filter some weather.com
>> API requests completely in dnsmasq, the device no longer shows weater
>> and does not crash.
>>
>> I know how to add connmarks to IPtables mangle table, but I did not
>> get the filtering running.
>>
>> Does anybody has an example how to setup the combination of iptables
>> mangle rules with dnsmask. The documentation man page has no example
>> and is far from useful. I have no idea what means mark and what those
>> masks are.  Basically I want to mark all DNS packets (UDP port 53)
>> from a specific device on internal network with some tag and instruct
>> dnsmasq to not answer dns requests for a specific domain. The iptables
>> rules are easy to setup, but I have no idea what to pass to connmark
>> ipotables module (no mention of masks there, but marks) and how to
>> setup dnsmasq.
>>
>> It would really be good to have an educating example in the dnsmasq
>> documentation of a working setup (both for dnsmasq config and for some
>> example iptables rules).
>>
>> Any ideas?
> git clone URL_of_dnsmasq_source dnsmasq
> cd dnsmasq/contrib/conntrack
> cat README

Basically, the mentioned README file is already known to me and is only 
partly useful, as it is missing an important part: How to configure 
dnsmasq so it works correctly with the given iptables examples? The 
convention of using "masks" requires the reader to understand in a 
detailed way how connection "marks" work and how they interfact with 
masks. So Marks should alwys be powers of 2, because whenver you assign 
multiple marks to the same connection they are "or"ed together by the 
iptables kernel code. This is why it is useful to "and" them with an 
expected mask when analyzing them on dnsmasq side. If you only have a 
single mark assigned to all connections its not an issue and you don't 
need masks, but you have to keep that in mind and better stick with 
using powers of 2 as marks.

To come back to my current problem: Further investigation shows, that it 
won't work with dnsmasq because theres one feature missing: You can only 
"allow" dns resolving when specific marks/masks are given, but there's 
no way to explicitely disallow a specific DNS resolution when a 
mark/mask combination is present (this would have been required to only 
disallow a single device's access to a specific domain). So it might be 
a good idea to add "--connmark-rejectlist" to dnsmasq, because this is 
missing to implement that.

With thinking a bit more, I have another idea which may work, too - but 
its also limited: Use the dnsmasq "ipset" or "nftset" features to place 
all resulting IP adresses of a dns resolution into an ipset. Because the 
device always queries the DNS name first, any later connections 
established to those IPs can be matched by iptables rules. I can then 
add a rule whish rejects HTTPS connections to those IP addresses (not 
drop but tcp reject them, otherwise it leads to timeouts and crashes in 
the radio device). The problem with that approach is that it also blocks 
access to legitimate services on same ip address (and unfortunately 
weather.com/accuweather are using CDNs, so blocking their IPs is a bad 
idea).

So I have no idea how to ideally block a specific device from resolving 
a specific hostname, but let go through all other requests.

>> Many thanks
> Idea for a better "Many thanks": Share with the mailinglist archive
> feedback on the file contrib/conntrack/README like a "Works for me"
> or even an addition as "Here a patch that documents my working use case".
You might know my name (just Google for it): I am a very open source 
active person. If I would find out anything useful, I would contribute 
it back.P.S.: Some of the dnsmasq features regarding IPv6 and lifetime 
of IPv6 prefiexes and announcing removed prefixes are also reaching back 
my idea contributions back till around 2012.
> Groeten
> Geert Stappers
Thanke, Uwe

-- 
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail:uwe at thetaphi.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20240818/f8e11493/attachment-0001.htm>

More information about the Dnsmasq-discuss mailing list