Am Fri, Oct 31, 2025 at 07:20:48PM +0000, schrieb Aaron Gray: > So does the existing OpenVPN actually check IP's against previous DNS > request reply IP's ?
I assume you are not talking about OpenVPN but about another component. I assume nftables. > If it is not an out of the box configuration, how would I configure > OpenVPN to do so please ? The glue you need is a DNS processor that needs to be implemented. I would assume the rules: dport 53 queue; sport 53 queue; Maybe "dup lo" (or some extra interface) could work too. The advantage of queue is that the userspace process could process the packet before it is forwarded in the network and the effect should apply. The permited IPs would be added to some nft set from that userspace process. Then there would be a filter rule expecting the item in the set: ip daddr @ip_set accept; ip saddr @ip_set accept; Otherwise, one would reject or drop. IPs should also be removed from the set at some point. Set items can expire, but active traffic to it should probably reset the timer. This DNS processor could in theory be implemented in the kernel. I would not recommend this. I would not expect an amount of DNS traffic where performance would become a problem. > > Honestly, this sounds like some toy for people that don't know what > > they are doing. > > I am not really that much of a noob, I did happen to have run dual > mirrored servers for 7 years with 36 hours downtime due to power and > internet outages, of which 1 hour was my fault ;) I am talking about people using this solution. I saw people using some "traffic analyzer solutions" interpreting the data wrongly because they have no idea about the limitations of reverse DNS and geolocation (or don't know at all what this actually is). > > CDNs limit its use. > > How do Content Delivery Networks work with this, is this just > blacklists and whitelists rather than DNS based blacklists ? If there > are whitelists for all the major operating systems installation and > updates this would be great ! One CDN is used for many services. Thus, the same IP is used for many services. So it is possible to permit way too much in the end. This also opens the possibilities for Domain Fronting 2.0. Original Domain Fronting was about using different hostnames in the TLS and HTTP level. Now, there is a motivation to specify another legitimate domain at the DNS level that uses the same CDN as the target service to unblock the IP. > > For restrictive setups, proxies are used today. Those could be > > transparent proxies. > > I am not really sure how proxies are relevant, please explain. Outbound internet access/any internet access only using some proxy server that enforces domain filters and device/user authentication. Example: squid3 > Sorry I don't wish to sound rude, I really don't know OpenWRT itself > that well yet despite using it for a while. This is not related to OpenWrt. I consider it general networking. _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
