On 14/02/13 18:50, Jason A. Donenfeld wrote: > Hi Simon & Crew, > > Services like YouTube and Netflix use tons of ranges of IP addresses > that fluctuate wildly and aren't predictable. However, they're always > from a given subdomain using DNS, like *.c.youtube.com. I'd like to > have firewall rules for these IP addresses -- route them over this > interface, that interface, rate limit them like this, or that, etc. An > efficient way to do this is by adding IP addresses to a netfilter > ipset and using iptables' ipset match support. With services that use > lots of IPs spread out over ranges but instead use DNS, the only way > to do this is to have the DNS forwarder add the resolved IPs to an > ipset before returning the IP to the client. > > I've written ipset-dns, a super trivial DNS forwarder that's meant to > be plugged into dnsmasq's server=/.../ directive. > > http://git.zx2c4.com/ipset-dns/about/ > > But forwarding one forwarder to another forwarder is ugly, and ideally > this functionality would just be plugged directly into dnsmasq: > > dnsmasq.conf: > > ipset=/c.youtube.com/netflix.com/vpnset > > This would add all the IPs returned for those queries to the provided > ipset (vpnset in this case). > > Is there much interest in this feature? Is it something you'd consider adding? >
It looks like the extra code is quite small, so I'd certainly consider it. Do you take account of the time-to-live of DNS records, or are ipsets create-only? Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss