[Dnsmasq-discuss] Integration with iptables?

2015-06-12 Thread Hartmut Krafft
Hi Joachim, there's already a way to connect iptables and dnsmasq: look at the ipset feature, it is limited in what it can filter, but otherwise might help you there. Best, Hartmut Hi. A use case for my router would be: Block every outgoing traffic except for that going to the domain

Re: [Dnsmasq-discuss] Integration with iptables?

2015-06-12 Thread Joachim Zobel
Just learned about the dnsmasq ipset option. That is really cool. Thanks, Joachim ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Integration with iptables?

2015-06-12 Thread Hartmut Krafft
man dnsmasq /ipset :-) Hartmut A way to maintain ipsets via dnsmasq would for example do what I need. Sincerely, Joachim ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk

[Dnsmasq-discuss] Integration with iptables?

2015-06-12 Thread Joachim Zobel
Hi. A use case for my router would be: Block every outgoing traffic except for that going to the domain whatsapp.net. Note: No way to do this by port, whatsapp is using http(s). Since there is no way to list the hosts in a domain this would require a way for dnsmasq to talk to iptables. Any

Re: [Dnsmasq-discuss] Integration with iptables?

2015-06-12 Thread Joachim Zobel
A way to maintain ipsets via dnsmasq would for example do what I need. Sincerely, Joachim ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-12 Thread Maciej Soltysiak
Hi, One of my users raised an issue that using.dnscrypt.pl does not resolve when dnssec-check-unsigned is turned on. I replicated the issue with most recent openwrt Chaos Calmer package: dnsmasq-full. When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, dnsmasq says BOGUS

Re: [Dnsmasq-discuss] Integration with iptables?

2015-06-12 Thread Simon Kelley
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 12/06/15 08:17, Joachim Zobel wrote: A way to maintain ipsets via dnsmasq would for example do what I need. It's there already. Are you using the latest release? Look for --ipset in the man page. Simon. -BEGIN PGP SIGNATURE-

Re: [Dnsmasq-discuss] Serving DHCP requests from a subnet not matching the interface

2015-06-12 Thread Neil Jerram
Hi Johannes, Sorry, I've only just noticed this... On 03/06/15 06:52, Johannes Martin wrote: Hi, I have the following network setup: - eth0: 192.168.1.254/24 - br0: 192.168.10.254/24 bridging virtual interfaces eth0.10 and wlan0.10 (plain virtual interfaces, no vlan tagging) I have

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-12 Thread Maciej Soltysiak
I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone - users who are on the service get *a different* A

Re: [Dnsmasq-discuss] DNSSEC failure with v2.73rc10

2015-06-12 Thread Simon Kelley
Thanks Toke, finding these failure cases and fixing them, one at a time, is very necessary, but somewhat gruelling. In this case, database.srku.dk. is a CNAME for database.studenterraad.dk. and that's a CNAME for web21.sd.eurovps.com. The two CNAME domains are signed, but the eurovps.com isnt.

Re: [Dnsmasq-discuss] local-service feature doesn't detect new/changed interfaces/networks

2015-06-12 Thread Simon Kelley
Current versions of dnsmasq have an alternative to --bind-interfaces, called --bind-dynamic, which should solve this problem, I think. --bind-dynamic Enable a network mode which is a hybrid between --bind-interfaces and the default. Dnsmasq binds the address of

Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9

2015-06-12 Thread Simon Kelley
On 12/06/15 12:16, Maciej Soltysiak wrote: I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone -