Le sam. 8 sept. 2018 à 15:45, Simon Kelley <si...@thekelleys.org.uk> a
écrit :

> No, that's a different problem. your target name "vpnin.swtk.info" is
> coming from the DHCP subsystem, because you have a DHCP lease for a host
> called "vpnin" and have set the domain to swtk.info.
>
>
> It would be possible, to fix this, and may be even sensible, but it's
> not the same that the OPs problem with CNAMES.
>
> Given that when the result comes from DHCP, it's pretty much guaranteed
> to be within the firewall, does it make sense to have such names checked
> by the ipset system? Genuine question. I'm unsure what people are using
> the ipsets facility for, so I don't know the answer.
>

The real added value of ipset for me is the capacity to configure my
firewall via names and not IPs.
This is extremely useful for DHCP hosts (all of my hosts - mobiles,
desktops, laptops and servers - are managed by dnsmasq's DHCP).

Having the capacity to update an ipset from within dnsmasq (as the lease
changes) would be great. The only alternative today is to
manually set some hosts as infinite lease.

Cheers,
Wojtek




> On 07/09/18 13:49, Wojtek Swiatek wrote:
> > I incidentally have the same problem (I started to tackle ipset today).
> > Taking your example:
> >
> > root@srv ~# dnsmasq -d --log-queries --ipset=/vpnin.swtk.info/vpnin
> > <http://vpnin.swtk.info/vpnin>
> > dnsmasq: started, version 2.79 cachesize 150
> > dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6
> > no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
> > dnsmasq-dhcp: DHCP, IP range 10.200.0.1 -- 10.200.0.230, lease time 10d
> > dnsmasq-dhcp: DHCP, IP range 10.10.10.1 -- 10.10.10.200, lease time 10d
> > dnsmasq-dhcp: DHCP, IP range 10.1.1.1 -- 10.1.1.100, lease time 10d
> > dnsmasq-dhcp: DHCP, IP range 10.100.20.1 -- 10.100.20.230, lease time 10d
> > dnsmasq-dhcp: DHCP, IP range 10.100.10.1 -- 10.100.10.230, lease time 10d
> > dnsmasq: using nameserver 8.8.4.4#53
> > dnsmasq: using nameserver 1.1.1.1#53
> > dnsmasq: read /etc/hosts - 8 addresses
> > dnsmasq: query[A] vpnin.swtk.info <http://vpnin.swtk.info> from
> 127.0.0.1
> > dnsmasq: DHCP vpnin.swtk.info <http://vpnin.swtk.info> is 10.200.0.2
> >
> > the vpnin ipset is already created (and stays empty):
> >
> > root@srv ~# ipset vpnin
> > ipset v6.34: No command specified: unknown argument vpnin
> > Try `ipset help' for more information.
> > root@srv ~# ipset list vpnin
> > Name: vpnin
> > Type: hash:ip
> > Revision: 4
> > Header: family inet hashsize 1024 maxelem 65536
> > Size in memory: 88
> > References: 0
> > Number of entries: 0
> > Members:
> >
> >
> > Cheers,
> > Wojtek
> >
> >
> > Le mar. 4 sept. 2018 à 01:21, Simon Kelley <si...@thekelleys.org.uk
> > <mailto:si...@thekelleys.org.uk>> a écrit :
> >
> >     Are you sure? It seems to work for me.
> >
> >
> >
> >     srk@holly:~/dnsmasq/dnsmasq$ src/dnsmasq -d -p 10000 --log-queries
> >     --ipset=/www.comcast.com/test
> >     dnsmasq: started, version 2.80test4 cachesize 150
> >     dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN
> >     DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect
> >     inotify dumpfile
> >     dnsmasq: reading /etc/resolv.conf
> >     dnsmasq: using nameserver 127.0.1.1#53
> >     dnsmasq: read /etc/hosts - 8 addresses
> >     dnsmasq: query[A] www.comcast.com from 127.0.0.1
> >     dnsmasq: forwarded www.comcast.com to 127.0.1.1
> >     dnsmasq: reply www.comcast.com is <CNAME>
> >     dnsmasq: reply www.comcast.com.edgekey.net is <CNAME>
> >     dnsmasq: ipset add test 2.22.99.93 e523.dscb.akamaiedge.net
> >     dnsmasq: reply e523.dscb.akamaiedge.net is 2.22.99.93
> >
> >     Cheers,
> >
> >     Simon.
> >
> >
> >     On 26/08/18 08:48, esinpublic-2...@yahoo.com.hk wrote:
> >     > Hi,
> >     >
> >     > When running with the ipset configuration, e.g.
> >     >
> >     > ipset=/example.com/whitelist
> >     >
> >     >
> >     > If the query result is a CNAME of differnet domain e.g.
> >     >
> >     > example.com.
> >     >  300  IN    CNAME  d123456789abcdefg.cloudfront.net.
> >     > d123456789abcdefg.cloudfront.net.    60
> >     > IN    A            123.123.123.123
> >     >
> >     > The IP address 123.123.123.123 would not be added to the IPSET.
> May I
> >     > ask if it is possible to have dnsmasq to add the final reolved ip
> into
> >     > the ipset?
> >     >
> >     > Thank you!
> >     >
> >     >
> >     > _______________________________________________
> >     > Dnsmasq-discuss mailing list
> >     > Dnsmasq-discuss@lists.thekelleys.org.uk
> >     > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >     >
> >
> >
> >     _______________________________________________
> >     Dnsmasq-discuss mailing list
> >     Dnsmasq-discuss@lists.thekelleys.org.uk
> >     http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to