Discussion:
[Dnsmasq-discuss] Support for adding CNAME query result to IPSET
e***@yahoo.com.hk
2018-08-26 07:48:36 UTC
Permalink
Hi, 
When running with the ipset configuration, e.g.
ipset=/example.com/whitelist

If the query result is a CNAME of differnet domain e.g.
example.com.                                       300  IN     CNAME   d123456789abcdefg.cloudfront.net.
d123456789abcdefg.cloudfront.net.    60    IN     A             123.123.123.123
The IP address 123.123.123.123 would not be added to the IPSET. May I ask if it is possible to have dnsmasq to add the final reolved ip into the ipset?
Thank you!
Simon Kelley
2018-09-03 22:39:28 UTC
Permalink
Are you sure? It seems to work for me.



***@holly:~/dnsmasq/dnsmasq$ src/dnsmasq -d -p 10000 --log-queries
--ipset=/www.comcast.com/test
dnsmasq: started, version 2.80test4 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect
inotify dumpfile
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 127.0.1.1#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] www.comcast.com from 127.0.0.1
dnsmasq: forwarded www.comcast.com to 127.0.1.1
dnsmasq: reply www.comcast.com is <CNAME>
dnsmasq: reply www.comcast.com.edgekey.net is <CNAME>
dnsmasq: ipset add test 2.22.99.93 e523.dscb.akamaiedge.net
dnsmasq: reply e523.dscb.akamaiedge.net is 2.22.99.93

Cheers,

Simon.
Post by e***@yahoo.com.hk
Hi, 
When running with the ipset configuration, e.g.
ipset=/example.com/whitelist
If the query result is a CNAME of differnet domain e.g.
example.com.                                     
 300  IN    CNAME  d123456789abcdefg.cloudfront.net.
d123456789abcdefg.cloudfront.net.    60   
IN    A            123.123.123.123
The IP address 123.123.123.123 would not be added to the IPSET. May I
ask if it is possible to have dnsmasq to add the final reolved ip into
the ipset?
Thank you!
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Wojtek Swiatek
2018-09-07 12:49:17 UTC
Permalink
I incidentally have the same problem (I started to tackle ipset today).
Taking your example:

***@srv ~# dnsmasq -d --log-queries --ipset=/vpnin.swtk.info/vpnin
dnsmasq: started, version 2.79 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCP, IP range 10.200.0.1 -- 10.200.0.230, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.10.10.1 -- 10.10.10.200, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.1.1.1 -- 10.1.1.100, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.100.20.1 -- 10.100.20.230, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.100.10.1 -- 10.100.10.230, lease time 10d
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: using nameserver 1.1.1.1#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] vpnin.swtk.info from 127.0.0.1
dnsmasq: DHCP vpnin.swtk.info is 10.200.0.2

the vpnin ipset is already created (and stays empty):

***@srv ~# ipset vpnin
ipset v6.34: No command specified: unknown argument vpnin
Try `ipset help' for more information.
***@srv ~# ipset list vpnin
Name: vpnin
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:


Cheers,
Wojtek
Post by Simon Kelley
Are you sure? It seems to work for me.
--ipset=/www.comcast.com/test
dnsmasq: started, version 2.80test4 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect
inotify dumpfile
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 127.0.1.1#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] www.comcast.com from 127.0.0.1
dnsmasq: forwarded www.comcast.com to 127.0.1.1
dnsmasq: reply www.comcast.com is <CNAME>
dnsmasq: reply www.comcast.com.edgekey.net is <CNAME>
dnsmasq: ipset add test 2.22.99.93 e523.dscb.akamaiedge.net
dnsmasq: reply e523.dscb.akamaiedge.net is 2.22.99.93
Cheers,
Simon.
Post by e***@yahoo.com.hk
Hi,
When running with the ipset configuration, e.g.
ipset=/example.com/whitelist
If the query result is a CNAME of differnet domain e.g.
example.com.
300 IN CNAME d123456789abcdefg.cloudfront.net.
d123456789abcdefg.cloudfront.net. 60
IN A 123.123.123.123
The IP address 123.123.123.123 would not be added to the IPSET. May I
ask if it is possible to have dnsmasq to add the final reolved ip into
the ipset?
Thank you!
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2018-09-08 13:45:36 UTC
Permalink
No, that's a different problem. your target name "vpnin.swtk.info" is
coming from the DHCP subsystem, because you have a DHCP lease for a host
called "vpnin" and have set the domain to swtk.info.


It would be possible, to fix this, and may be even sensible, but it's
not the same that the OPs problem with CNAMES.

Given that when the result comes from DHCP, it's pretty much guaranteed
to be within the firewall, does it make sense to have such names checked
by the ipset system? Genuine question. I'm unsure what people are using
the ipsets facility for, so I don't know the answer.


Cheers,


Simon.
Post by Wojtek Swiatek
I incidentally have the same problem (I started to tackle ipset today).
<http://vpnin.swtk.info/vpnin>
dnsmasq: started, version 2.79 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCP, IP range 10.200.0.1 -- 10.200.0.230, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.10.10.1 -- 10.10.10.200, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.1.1.1 -- 10.1.1.100, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.100.20.1 -- 10.100.20.230, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.100.10.1 -- 10.100.10.230, lease time 10d
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: using nameserver 1.1.1.1#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] vpnin.swtk.info <http://vpnin.swtk.info> from 127.0.0.1
dnsmasq: DHCP vpnin.swtk.info <http://vpnin.swtk.info> is 10.200.0.2
ipset v6.34: No command specified: unknown argument vpnin
Try `ipset help' for more information.
Name: vpnin
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Cheers,
Wojtek
Are you sure? It seems to work for me.
--ipset=/www.comcast.com/test
dnsmasq: started, version 2.80test4 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect
inotify dumpfile
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 127.0.1.1#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] www.comcast.com from 127.0.0.1
dnsmasq: forwarded www.comcast.com to 127.0.1.1
dnsmasq: reply www.comcast.com is <CNAME>
dnsmasq: reply www.comcast.com.edgekey.net is <CNAME>
dnsmasq: ipset add test 2.22.99.93 e523.dscb.akamaiedge.net
dnsmasq: reply e523.dscb.akamaiedge.net is 2.22.99.93
Cheers,
Simon.
Post by e***@yahoo.com.hk
Hi, 
When running with the ipset configuration, e.g.
ipset=/example.com/whitelist
If the query result is a CNAME of differnet domain e.g.
example.com.                                     
 300  IN    CNAME  d123456789abcdefg.cloudfront.net.
d123456789abcdefg.cloudfront.net.    60   
IN    A            123.123.123.123
The IP address 123.123.123.123 would not be added to the IPSET. May I
ask if it is possible to have dnsmasq to add the final reolved ip into
the ipset?
Thank you!
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Wojtek Swiatek
2018-09-13 09:08:03 UTC
Permalink
Post by Simon Kelley
No, that's a different problem. your target name "vpnin.swtk.info" is
coming from the DHCP subsystem, because you have a DHCP lease for a host
called "vpnin" and have set the domain to swtk.info.
It would be possible, to fix this, and may be even sensible, but it's
not the same that the OPs problem with CNAMES.
Given that when the result comes from DHCP, it's pretty much guaranteed
to be within the firewall, does it make sense to have such names checked
by the ipset system? Genuine question. I'm unsure what people are using
the ipsets facility for, so I don't know the answer.
The real added value of ipset for me is the capacity to configure my
firewall via names and not IPs.
This is extremely useful for DHCP hosts (all of my hosts - mobiles,
desktops, laptops and servers - are managed by dnsmasq's DHCP).

Having the capacity to update an ipset from within dnsmasq (as the lease
changes) would be great. The only alternative today is to
manually set some hosts as infinite lease.

Cheers,
Wojtek
Post by Simon Kelley
Post by Wojtek Swiatek
I incidentally have the same problem (I started to tackle ipset today).
<http://vpnin.swtk.info/vpnin>
dnsmasq: started, version 2.79 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCP, IP range 10.200.0.1 -- 10.200.0.230, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.10.10.1 -- 10.10.10.200, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.1.1.1 -- 10.1.1.100, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.100.20.1 -- 10.100.20.230, lease time 10d
dnsmasq-dhcp: DHCP, IP range 10.100.10.1 -- 10.100.10.230, lease time 10d
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: using nameserver 1.1.1.1#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] vpnin.swtk.info <http://vpnin.swtk.info> from
127.0.0.1
Post by Wojtek Swiatek
dnsmasq: DHCP vpnin.swtk.info <http://vpnin.swtk.info> is 10.200.0.2
ipset v6.34: No command specified: unknown argument vpnin
Try `ipset help' for more information.
Name: vpnin
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Cheers,
Wojtek
Are you sure? It seems to work for me.
--ipset=/www.comcast.com/test
dnsmasq: started, version 2.80test4 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect
inotify dumpfile
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 127.0.1.1#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] www.comcast.com from 127.0.0.1
dnsmasq: forwarded www.comcast.com to 127.0.1.1
dnsmasq: reply www.comcast.com is <CNAME>
dnsmasq: reply www.comcast.com.edgekey.net is <CNAME>
dnsmasq: ipset add test 2.22.99.93 e523.dscb.akamaiedge.net
dnsmasq: reply e523.dscb.akamaiedge.net is 2.22.99.93
Cheers,
Simon.
Post by e***@yahoo.com.hk
Hi,
When running with the ipset configuration, e.g.
ipset=/example.com/whitelist
If the query result is a CNAME of differnet domain e.g.
example.com.
300 IN CNAME d123456789abcdefg.cloudfront.net.
d123456789abcdefg.cloudfront.net. 60
IN A 123.123.123.123
The IP address 123.123.123.123 would not be added to the IPSET.
May I
Post by Wojtek Swiatek
Post by e***@yahoo.com.hk
ask if it is possible to have dnsmasq to add the final reolved ip
into
Post by Wojtek Swiatek
Post by e***@yahoo.com.hk
the ipset?
Thank you!
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2018-09-14 22:25:53 UTC
Permalink
Post by Simon Kelley
No, that's a different problem. your target name "vpnin.swtk.info
<http://vpnin.swtk.info>" is
coming from the DHCP subsystem, because you have a DHCP lease for a host
called "vpnin" and have set the domain to swtk.info <http://swtk.info>.
It would be possible, to fix this, and may be even sensible, but it's
not the same that the OPs problem with CNAMES.
Given that when the result comes from DHCP, it's pretty much guaranteed
to be within the firewall, does it make sense to have such names checked
by the ipset system? Genuine question. I'm unsure what people are using
the ipsets facility for, so I don't know the answer.
The real added value of ipset for me is the capacity to configure my
firewall via names and not IPs. 
This is extremely useful for DHCP hosts (all of my hosts - mobiles,
desktops, laptops and servers - are managed by dnsmasq's DHCP).
Having the capacity to update an ipset from within dnsmasq (as the lease
changes) would be great. The only alternative today is to 
manually set some hosts as infinite lease.
Even making DHCP-derived names part of the existing ipset system doesn't
seem to be a good solution to this. The ipset only gets updated when a
DNS lookup happens, not when the lease is created, and there definitely
isn't a way to remove ipset entries at all, which you'd need as leases
change.

What's needed is a different system, to populate ipsets based on the
DHCP lease database, and the dhcp-script system gives you the tools to
do exactly that. Any change to the DHCP lease database runs a process
(as root) which has access to the IP address, hostname, MAC address, and
anything else you might need. A suitable script can be written that
directly manipulates the relevant ipsets in any way you might want.


Cheers,

Simon

Loading...