I have a list of domain names whose IPs I want to block.
There's a great entry in the documentation about this.
I have a few questions regarding it:
1. dnsmasq --ipset
It suggests using ipset-dns and dnmasq. However the ipset-dns documentation seems to suggest to not use the project anymore, but instead use dnsmasq with the --ipset option:
This functionality has now been written directly into
dnsmasq
, which should be much easier to use than this project. See the--ipset
option.
I think it's generally better to use fewer tools, especially if the developer suggests it. Can anyone comment on whether the dnsmasq --ipset option is as reliable on openWrt as ipset-dns?
2. DNS hijacking
The documentation suggests doing DNS hijacking (in the introduction). I want to avoid doing this, as DNS hijacking (and any form of DNS filtering) is notoriously easy to bypass by the client. If I perform a domain pre-resolution (run through my list of domain names to block, and populate their ip into ipset), is it reasonable to not do any dns hijacking?
I am guessing there is an issue of the IPs associated to FQDN being changed every now and then. Can this be solved without DNS hijacking? Maybe if I have a domain pre-resolution performed on a cron job? If that is a reasonable solution, is there a way to know how often I should run this?
3. race condition
There are commands to "Resolve race conditions for ipset-dns". I think I can guess what's going on, but can anyone explain, so that I am sure?
Thanks!