[Dnsmasq-discuss] Query for a netsec feature

[Simon Kelley]

Certainly needs more thought. This is a perfect DoS vector. There's 
nothing to stop the domains returning useful IP addresses (google's 
microsoft's Netflix's) and blacklisting those. You're giving the ability 
to break your access to any IP address to the controllers of 1.2M dodgy 
domains.

Simon.


On 01/05/2025 15:00, imnozi at gmail.com wrote:
> NEEDS MORE THOUGHT!!!!!
> 
> On my firewall, I use the Univ. of Toulouse categorization lists to get lots of maleficient and other undesired domain names (e.g., ads, pron, warez, ddos, cryptojacking stalkerware, et alia; around 1.2M right now. I define them as local; dnsmasq responds right quickly in the negative. Dnsmasq uses just over 100MiB RAM with all those entries.
> 
> My philosophy is that if a host is known to contain content I don't want near my network, then I don't want *any* contact with that host. Alas, dnsmasq only prevents outgoing connections to said host via the domain name; it would be nice to have the IP address to add to netfilter.
> 
> The one drawback is that IP addresses for a host name can and do change.
> 
> Hence my inquiry about a possible new feature for dnsmasq that can be turned on and off. Dnsmasq would still immediately return 'no such address' for queries for local names. In addition, it would also send the name to a 'dnsmasqsec' daemon to fetch and cache the address and add it to an IPset set so the IP address can also be blocked.
> 
> Thinking a bit more, that daemon could be dnsmasq running in a special 'anti-miscreant' mode. This mode would listen only to a pipe for hostnames/FQDNs. If the name is in the cache, no further action is taken because it looked up that name 'recently'.
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>