Issue with IPSET DNS upon reboot or start of router


This has really helped me a lot and i've got around 100+ domains being blocked (for parental control).

But my issue is when I reboot or boot-up due to power loss, the router seems to hang and based on investigation this is the culprit:

After more testing, having just around around 5 domains is ok during boot, but having 20 or more domains it seems the boot-up has hanged.

It seems by the time the firewall is being booted, my WAN is still not up and since the script tries to resolve the domains via nslookup, this is where it looks like it hanged. Based on testing, if there is no network, it takes nslookup around 5 secs before it fails.

So using "5secs x 100 domains" means it will take 500secs before the script stops and let the router continue its boot-up.

I hope somebody can help me with this...


There are quite a few issues for IP level content filtering that relies on DNS:

  1. Frequent writing on flash can exhaust its resource.
    Runtime configs are stored in tmpfs/RAM that is lost on device restart.

  2. Clients can use their own DNS cache at the level of browser/OS.
    Once resolved the domain, clients might not query DNS server for some time.

  3. Clients can use DoH/DoT at the level of browser/OS.
    Populating the IP sets relies on plain DNS that can be problematic to enforce.

  4. DNS records can expire and change.
    The more domains are tracked, the higher probability of their change.

  5. Resolving domains can take time.
    The more domains are tracked, the longer time is required to resolve them.

  6. Domains can use CDNs.
    Blocking their CDN can impact unrelated domains served by the same CDN.

The way to solve one of the problems may contradict others.
So, trying to solve all the issues is difficult and likely impossible.

In your case, a possible solution can be replacing the preresolve script with persistent IP sets.
Another option is to install banIP and populate its blocklist with IPs resolved by Dnsmasq.
However that deserves a separate thread.


i'll try this.. and as always super thanks to you.. i'll let you know if this works for my case

1 Like

Thanks.. your script worked.. although i changed it a little bit to store the saved ipsets to my backup flash.. it also saved the ipset of banip :laughing: which is good since I can't find why banip doesn't load the IP sets during boot, might be because there are lots of stuff loaded on my router :rofl:

1 Like

@vgaetera i think this needs to be added to the /etc/firewall.dnsmasq

ipset flush filter
ipset flush filter6

Because after of couple of test, adding/removing domains to the dnsmasq list, the IPs of the removed domains still existed in the ipset list

The whole script looks like this now

# /etc/firewall.dnsmasq
/etc/init.d/dnsmasq restart
ipset flush filter
ipset flush fliter6
uci get dhcp.@dnsmasq[0].server \
| sed -e "s/\s/\n/g" \
| sed -n -e "s/^\///;s/\/.*$//p" \
| while read -r IPSET_DOMAIN
do nslookup "${IPSET_DOMAIN}" localhost

i'm not sure if this is correct way to do it, but it worked on my setup

1 Like

Why don't you use DNSMASQ ipset instead of resolving domains and adding their IPs in the script? DNSMASQ ipsets work quite gracefully, they are resolved upon request or during downtime. You will need dnsmasq-full for them tho.


That is already my current setup. And I'm not sure if you where replying to another topic I created that was related to my setup with IPSET DNS (about using UNBOUND), but that is literally on another topic :laughing:

No, I was replying to things like:

which is just above my reply. Given the response I've received, I'll know better in the future.

ohh a litte miss-comm on both of us ahahaha anyway, i'll be looking into the ipset option of DNSMASQ.. maybe it can be incorporated into the IPSET DNS wiki

Thanks :grin:

@AcidSlide, thanks, this is a known issue #4, I updated the scripts.
However, note that flushing IP sets can lead to issues #2 and #5.
So, traffic can leak to cached subdomains which IP doesn't match the parent domain.

@stangri, unfortunately, the built-in IP sets in Dnsmasq are not supported by LuCI.
Minor code optimization vs. web interface to edit domains, the latter is preferable in general case.
Those who don't need web interface, are skilled enough and free to utilize the built-in feature. :wink:


#2 is fully taken care by my setup, outside DNS has already been blocked on my internal network.

For #4 i've also did a daily refresh using the sh /etc/firewall.dnsmasq script

#5 I know is a potential issue, but I also don't plan on creating a big list.. most of them are actually just temporary banning for the kids, most of other more generic blocking is via adblock

Thanks again :slight_smile:

1 Like

I updated the method to preresolve domains, replacing the firewall script with hotplug:

This way it shouldn't hang on startup and we can still populate the IP sets dynamically.


Wow... thanks! I'll check this out as soon as I can. Looking at the script, this was something I was trying to do ahahahaha.. your code looks so much better and simpler

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.