On 13/09/18 10:08, Wojtek Swiatek wrote:
> Le sam. 8 sept. 2018 à 15:45, Simon Kelley <si...@thekelleys.org.uk
> <mailto:si...@thekelleys.org.uk>> a écrit :
>     No, that's a different problem. your target name "vpnin.swtk.info
>     <http://vpnin.swtk.info>" is
>     coming from the DHCP subsystem, because you have a DHCP lease for a host
>     called "vpnin" and have set the domain to swtk.info <http://swtk.info>.
>     It would be possible, to fix this, and may be even sensible, but it's
>     not the same that the OPs problem with CNAMES.
>     Given that when the result comes from DHCP, it's pretty much guaranteed
>     to be within the firewall, does it make sense to have such names checked
>     by the ipset system? Genuine question. I'm unsure what people are using
>     the ipsets facility for, so I don't know the answer.
> The real added value of ipset for me is the capacity to configure my
> firewall via names and not IPs. 
> This is extremely useful for DHCP hosts (all of my hosts - mobiles,
> desktops, laptops and servers - are managed by dnsmasq's DHCP).
> Having the capacity to update an ipset from within dnsmasq (as the lease
> changes) would be great. The only alternative today is to 
> manually set some hosts as infinite lease.

Even making DHCP-derived names part of the existing ipset system doesn't
seem to be a good solution to this. The ipset only gets updated when a
DNS lookup happens, not when the lease is created, and there definitely
isn't a way to remove ipset entries at all, which you'd  need as leases

What's needed is a different system, to populate ipsets based on the
DHCP lease database, and the dhcp-script system gives you the tools to
do exactly that. Any change to the DHCP lease database runs a process
(as root) which has access to the IP address, hostname, MAC address, and
anything else you might need. A suitable script can be written that
directly manipulates the relevant ipsets in any way you might want.



Dnsmasq-discuss mailing list

Reply via email to