Discussion:
[Dnsmasq-discuss] Add IPs to BSD pf table from dnsmasq?
Chen Wei
2017-12-17 08:02:50 UTC
Permalink
Ipset in dnsmasq is a very useful feature. The pf table in BSD family is
similar to ipset in it can hold large amount of IP addresses and lookups
is very fast. Is it possible to add the results of DNS lookup to pf
table from dnsmasq?
--
Chen Wei
Simon Kelley
2017-12-18 19:21:37 UTC
Permalink
Post by Chen Wei
Ipset in dnsmasq is a very useful feature. The pf table in BSD family is
similar to ipset in it can hold large amount of IP addresses and lookups
is very fast. Is it possible to add the results of DNS lookup to pf
table from dnsmasq?
Yes, it is. pf tables is supported on BSD using the same --ipset
dnsmasq configuration option. Looking, there's not explicit
documentation about this, which is bad. It should at least be mentioned
in the man page, and any BSD-specific information required added. Not
knowing BSD, I'm not sure exactly what that might be.


cheers,

Simon.
Chen Wei
2017-12-19 01:38:50 UTC
Permalink
Post by Simon Kelley
Post by Chen Wei
is very fast. Is it possible to add the results of DNS lookup to pf
table from dnsmasq?
Yes, it is. pf tables is supported on BSD using the same --ipset
dnsmasq configuration option. Looking, there's not explicit
This is great. Thanks!
Post by Simon Kelley
documentation about this, which is bad. It should at least be mentioned
in the man page, and any BSD-specific information required added. Not
knowing BSD, I'm not sure exactly what that might be.
cheers,
Simon.
--
Chen Wei
Andrew White
2017-12-22 21:17:08 UTC
Permalink
I've used it for a while on freebsd without issue, configured as per
dnsmasq man page syntax

I would add to docs the risk that this feature can lead to a growing table
of ips that never gets pruned or expired, that could lead to allowing more
ip addrs within a Table over time, than might be anticipated. i.e. you
could end up that the hostname of the endpoint moves ip, but your firewall
still allows traffic from the old ip, under some circumstance this is a
significant risk. I use max-ttl feature of dnsmasq with the pf Table
expires feature to prune the table every 15 mins. YMMV as the client using
this feature would need to support re-resolving ip's.

A
Post by Chen Wei
Post by Simon Kelley
Post by Chen Wei
is very fast. Is it possible to add the results of DNS lookup to pf
table from dnsmasq?
Yes, it is. pf tables is supported on BSD using the same --ipset
dnsmasq configuration option. Looking, there's not explicit
This is great. Thanks!
Post by Simon Kelley
documentation about this, which is bad. It should at least be mentioned
in the man page, and any BSD-specific information required added. Not
knowing BSD, I'm not sure exactly what that might be.
cheers,
Simon.
--
Chen Wei
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Chen Wei
2018-01-01 11:31:49 UTC
Permalink
Post by Andrew White
I've used it for a while on freebsd without issue, configured as per
dnsmasq man page syntax
Thanks for the max-ttl tip. I have used it on pfSense(based on freebsd)
for several days now. No issue!
Post by Andrew White
I would add to docs the risk that this feature can lead to a growing table
of ips that never gets pruned or expired, that could lead to allowing more
ip addrs within a Table over time, than might be anticipated. i.e. you
could end up that the hostname of the endpoint moves ip, but your firewall
still allows traffic from the old ip, under some circumstance this is a
significant risk. I use max-ttl feature of dnsmasq with the pf Table
expires feature to prune the table every 15 mins. YMMV as the client using
this feature would need to support re-resolving ip's.
Post by Simon Kelley
Post by Chen Wei
is very fast. Is it possible to add the results of DNS lookup to pf
table from dnsmasq?
Yes, it is. pf tables is supported on BSD using the same --ipset
dnsmasq configuration option. Looking, there's not explicit
--
Chen Wei
Loading...