[Dnsmasq-discuss] Query for a netsec feature
imnozi at gmail.com
imnozi at gmail.com
Thu May 1 14:14:02 UTC 2025
Sorry! Please disregard! I hit the wrong button. As the first line says, it needs a lot more thought about what I want it to do (perhaps fetch all addresses for a name--unless miscreants rarely have FQDNS that resolve to more than one address, remove old addresses from IPset sets, and use 'unwanted' instead of 'local'). What I wrote below is far too incomplete.
Neal
On Thu, 1 May 2025 10:00:29 -0400
<imnozi at gmail.com> wrote:
> NEEDS MORE THOUGHT!!!!!
>
> On my firewall, I use the Univ. of Toulouse categorization lists to get lots of maleficient and other undesired domain names (e.g., ads, pron, warez, ddos, cryptojacking stalkerware, et alia; around 1.2M right now. I define them as local; dnsmasq responds right quickly in the negative. Dnsmasq uses just over 100MiB RAM with all those entries.
>
> My philosophy is that if a host is known to contain content I don't want near my network, then I don't want *any* contact with that host. Alas, dnsmasq only prevents outgoing connections to said host via the domain name; it would be nice to have the IP address to add to netfilter.
>
> The one drawback is that IP addresses for a host name can and do change.
>
> Hence my inquiry about a possible new feature for dnsmasq that can be turned on and off. Dnsmasq would still immediately return 'no such address' for queries for local names. In addition, it would also send the name to a 'dnsmasqsec' daemon to fetch and cache the address and add it to an IPset set so the IP address can also be blocked.
>
> Thinking a bit more, that daemon could be dnsmasq running in a special 'anti-miscreant' mode. This mode would listen only to a pipe for hostnames/FQDNs. If the name is in the cache, no further action is taken because it looked up that name 'recently'.
More information about the Dnsmasq-discuss
mailing list