Hi Geert,
thanks, all fine. I was in a bit of hurry yesterday, so my original post
may not have all relevant information.
I know there is the feature to reject DNS queries from hosts based on
marking the connection with iptables. I tried to set this up for some
specific radio device which has a buggy weather.com webservice api
that crashes on broken results. I know if I filter some weather.com
API requests completely in dnsmasq, the device no longer shows weater
and does not crash.
I know how to add connmarks to IPtables mangle table, but I did not
get the filtering running.
Does anybody has an example how to setup the combination of iptables
mangle rules with dnsmask. The documentation man page has no example
and is far from useful. I have no idea what means mark and what those
masks are. Basically I want to mark all DNS packets (UDP port 53)
from a specific device on internal network with some tag and instruct
dnsmasq to not answer dns requests for a specific domain. The iptables
rules are easy to setup, but I have no idea what to pass to connmark
ipotables module (no mention of masks there, but marks) and how to
setup dnsmasq.
It would really be good to have an educating example in the dnsmasq
documentation of a working setup (both for dnsmasq config and for some
example iptables rules).
Any ideas?
git clone URL_of_dnsmasq_source dnsmasq
cd dnsmasq/contrib/conntrack
cat README
Basically, the mentioned README file is already known to me and is only
partly useful, as it is missing an important part: How to configure
dnsmasq so it works correctly with the given iptables examples? The
convention of using "masks" requires the reader to understand in a
detailed way how connection "marks" work and how they interfact with
masks. So Marks should alwys be powers of 2, because whenver you assign
multiple marks to the same connection they are "or"ed together by the
iptables kernel code. This is why it is useful to "and" them with an
expected mask when analyzing them on dnsmasq side. If you only have a
single mark assigned to all connections its not an issue and you don't
need masks, but you have to keep that in mind and better stick with
using powers of 2 as marks.
To come back to my current problem: Further investigation shows, that it
won't work with dnsmasq because theres one feature missing: You can only
"allow" dns resolving when specific marks/masks are given, but there's
no way to explicitely disallow a specific DNS resolution when a
mark/mask combination is present (this would have been required to only
disallow a single device's access to a specific domain). So it might be
a good idea to add "--connmark-rejectlist" to dnsmasq, because this is
missing to implement that.
With thinking a bit more, I have another idea which may work, too - but
its also limited: Use the dnsmasq "ipset" or "nftset" features to place
all resulting IP adresses of a dns resolution into an ipset. Because the
device always queries the DNS name first, any later connections
established to those IPs can be matched by iptables rules. I can then
add a rule whish rejects HTTPS connections to those IP addresses (not
drop but tcp reject them, otherwise it leads to timeouts and crashes in
the radio device). The problem with that approach is that it also blocks
access to legitimate services on same ip address (and unfortunately
weather.com/accuweather are using CDNs, so blocking their IPs is a bad
idea).
So I have no idea how to ideally block a specific device from resolving
a specific hostname, but let go through all other requests.
Many thanks
Idea for a better "Many thanks": Share with the mailinglist archive
feedback on the file contrib/conntrack/README like a "Works for me"
or even an addition as "Here a patch that documents my working use case".
You might know my name (just Google for it): I am a very open source
active person. If I would find out anything useful, I would contribute
it back.P.S.: Some of the dnsmasq features regarding IPv6 and lifetime
of IPv6 prefiexes and announcing removed prefixes are also reaching back
my idea contributions back till around 2012.
Groeten
Geert Stappers
Thanke, Uwe
--
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail:u...@thetaphi.de
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
