Services like YouTube and Netflix use tons of ranges of IP addresses that fluctuate wildly and aren't predictable. However, they're always from a given subdomain using DNS, like *.c.youtube.com. I'd like to have firewall rules for these IP addresses -- route them over this interface, that interface, rate limit them like this, or that, etc. An efficient way to do this is by adding IP addresses to a netfilter ipset and using iptables' ipset match support. With services that use lots of IPs spread out over ranges but instead use DNS, the only way to do this is to have the DNS forwarder add the resolved IPs to an ipset before returning the IP to the client.
This series of patches adds an --ipset option to dnsmasq which adds resolved ips for specified domains to a given list of ipsets using the netlink on newer kernels and setsockopt on older kernels. --ipset=/google.com/yahoo.com/search,vpn That option will add all resolved IPs for Google and Yahoo domains and subdomains to two ipsets -- "search" and "vpn". (Sub)-domain matching is conducted in the same way as with --address. --ipset=resolved --ipset=/#/resolved These two options are identical. They each add all resolved domains to the "resolved" ipset. If this mailing list post becomes stale, the latest series of patches may be found at <http://git.zx2c4.com/dnsmasq-ipset>. Jason A. Donenfeld (3): ipset: Integrate ipset.c into build system. ipset: Parse new --ipset option and match domains in forward.c ipset: Update man page and example config to reflect new option. Makefile | 5 +- dnsmasq.conf.example | 4 ++ man/dnsmasq.8 | 6 +++ src/config.h | 6 +++ src/dnsmasq.h | 17 +++++- src/forward.c | 20 ++++++- src/ipset.c | 143 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/option.c | 64 +++++++++++++++++++++++ src/rfc1035.c | 14 ++++- 9 files changed, 274 insertions(+), 5 deletions(-) create mode 100644 src/ipset.c -- 1.8.1.2 _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss