[Dnsmasq-discuss] Dnsmasq issues with ipsets and nftsets
Florent Fourcot
florent.fourcot at wifirst.fr
Mon Sep 1 20:06:55 UTC 2025
Hello,
I can confirm that ipset option is working great. We are defining one
rule by line in our configuration file, like this:
ipset=/browser.sentry-cdn.com/whitelist
ipset=/sentry.io/whitelist
"whitelist" ipset is one hash:ip ipset. I never tried to configure
multiple set names or domains on the same line.
The main corner case is to set a timeout option on the set, to not keep
the IP in the set forever. In that case, you should add a max-cache-ttl
option in your dnsmasq configuration, lower than the timeout configured
in the set. Second corner case, hardcoded IP in /etc/hosts are not
resolved. So they are never added in the sets.
Best regards,
Florent
More information about the Dnsmasq-discuss
mailing list