Hello all,
i'm trying to create a second dns instance to be used on a specific network, that should not be able to resolve anything but a whitelist of domains.
Well, i'm stuck far from my target
I tried creating the two instances in this way:
the first instance should receive requests from all interfaces but IOT (so i did not put a interface option, just a notinterface IOT)
the second one receives from only IOT, so i just excluded "lo", and added the option noresolv
problems:
i can no longer resolve local names without local domain
only one local domain works (lan, not iot)
i'm not even sure that the second instance works (how can i?), given that clients on IOT network still can resolve hosts.and they also seem to read the adblock list of domains. But logread shows no errors
as you can see, i still have neither tried to whitelist some domains
Edit: ok, i found out that interface name IS case sensitive now it seems i can get the two instances to work, but i can't understand why the "noresolv" option does not work.
i expected the dns server to resolve only local hosts, am i wrong?
ok it seems the option noresolv is not taking me to any result.
so i just gave a different config file where all is blacklisted and only good domains are whitelisted, and it seems to work.
Now i'd like to use the allowed domains to create firewall rules, i think it should be done with https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset am i right? @vgaetera it seems to me you wrote the help page, but i installed the ipset-dns package and i can't see anything in network-firewall-traffic rules to manage it, can you give me any hint? thanks
only full has ipset support (afiak but ipset-dns method may/likely is different to what I posted above that is designed for use with upstream server directive)...
yes... binaries are safely interchangable if you have space
sorry, i can't get this
i'm already using the confdir to provide my second dns instance with the whitelist of allowed domains, but how can this list end inside a ipset list that - it seems? - has different format?
my whitelist has this format:
yes... in the method i've shown you can use your existing confdir/file... and masq will populate those ipsets for you for use in firewall rules... maybe hold off on that method until you've tried ipset-dns first...
the ipset-dns method I suspect is for 'whitelisting' within the masq dns response process... go with that probably if you want control over things at the resolution phase... the fundamentals are similar...
[root@dca632 /usbstick 45°]# opkg list | grep ipset-dns
ipset-dns - 2017-10-08-ade2cf88-1 - The ipset-dns daemon is a lightweight DNS forwarding server that adds all resolved IPs to a given netfilter ipset. It is designed to be used in conjunction with dnsmasq's upstream server directive. Practical use cases include routing over a given gateway traffic for particular web services or webpages that do not have a priori predictable IP addresses and instead rely on dizzying arrays of DNS resolutions.
still overstimating me, but i appreciate a lot since this is interesting
so in the dhcp config file i can leave the confdir with my specific whitelist, but do i need to add also a list ipset something? or how can i get dnsmasq to create the list?
and (sorry) where the hell do i find the ipset list in the firewall luci interface?
with this method is dnsmasq also creating the list (so, resolving all domains) at startup?
one more thanks
sure, but in this case i'd need to create an accept firewall allowing clients to widely access wan.
Now i'm quite satisfied by the dns resolving behaviour (i get ip address only for whitelisted domains), and i'd like to create firewall rules to allow access only to the whitelisted domains.
Can i do that with dns-ipset? (or with the method @anon50098793 described)
I think so, isn't it?