Hello,
ipset feature is working very well on dnsmasq. But it needs some fine
tuning I think.
1) The user adds a domain to the ipset (in dnsmasq config). If the
domain is already cached on the client, IPs won't actually be added to
the ipset (at least until the cache entry expires).
That is true. However, I do not see another solution. You can't control
client behavior. They can use another DNS server (or/and DoH to bypass
firewall redirections). If you want an instant deployment, you must
force dnsmasq to resolve DNS entries that you add (very hard if it's a
wildcard, of course). Or you can wait a little bit.
2) The user removes a domain from the ipset in dnsmasq config.
Domain's IPs won't actually be removed from the ipset ever (until the
user reboots the router, or something else flushes the ipset)
You probably should use "timeout" ipset option, when creating your
ipset. We are using dnsmasq ipset options on several thousands hosts and
we configure it like it:
* always create ipset with timeout option. Timeout value for IP
entries will be refreshed at each dnsmasq DNS resolution
* use max-cache-ttl dnsmasq option. You don't want to cache DNS
entries longer than timeout specified above.
Should I maybe try to extend ipset-dns [1] instead of
dnsmasq?
[1] https://git.zx2c4.com/ipset-dns/
ipset-dns has same features (and limitations) than ipset dnsmasq option,
with a more complex architecture.
Best regards,
--
Florent Fourcot
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
