I'm using nftset from dnsmasq master branch to add IPs to an nftables set for a rule that allows only outbound connections to the IPs in the set, so a sort of domain/dns whitelist if you will.
There's a problem I'm experiencing where some domains resolve to an IP that in turn 'resolve' to a PTR(?) to some other IP. The end result is that I see an IP address that should be in the set that nftables blocks/ignores because it's not, even though the domain that the IP should be associated with is in the nftset config for dnsmasq. For example, I see that dnsmasq resolves gitlab.freedesktop.org to 147.75.198.156: Oct 20 15:09:50 gateway dnsmasq[455]: nftset add inet filter allowed_addresses 147.75.198.156 freedesktop.org Oct 20 15:09:50 gateway dnsmasq[455]: reply gitlab.freedesktop.org is 147.75.198.156 Despite that message, nftables does *not* have that IP in the set afterwards: table inet filter { set allowed_addresses { type ipv4_addr flags interval elements = { 1.1.1.1, 8.8.4.4, 8.8.8.8, 10.0.2.0/24, 10.42.0.0/24, 46.23.90.166, 51.75.67.47, 83.149.106.143, 94.199.173.123, 108.61.56.35, 127.0.0.1, 127.0.0.53, 147.75.207.209, 172.16.0.0/12, 176.58.120.252, 192.168.1.0/24, 192.168.10.0/24, 192.168.11.0/24, 193.70.45.111, 217.147.223.78 } } } A 'reverse' lookup on the IP shows some PTR record: [user@system ~]# dig -x 147.75.198.156 @127.0.0.1 -p 5353 ; <<>> DiG 9.16.21 <<>> -x 147.75.198.156 @127.0.0.1 -p 5353 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40325 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;156.198.75.147.in-addr.arpa. IN PTR ;; Query time: 0 msec ;; SERVER: 127.0.0.1#5353(127.0.0.1) ;; WHEN: Wed Oct 20 19:13:11 UTC 2021 ;; MSG SIZE rcvd: 56 And looking up the IP for that returns another domains: [user@system ~]# dig -x 156.198.75.147 @1.1.1.1 ; <<>> DiG 9.16.21 <<>> -x 156.198.75.147 @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27841 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;147.75.198.156.in-addr.arpa. IN PTR ;; ANSWER SECTION: 147.75.198.156.in-addr.arpa. 86400 IN PTR host-156.198.147.75-static.tedata.net. ;; Query time: 393 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Wed Oct 20 19:13:19 UTC 2021 ;; MSG SIZE rcvd: 107 In this example, both tedata.net and freedesktop.org are in the nftset list for dnsmasq (list abbreviated, actual list does not include '...'): nftset=/.../freedesktop.org/tedata.net/.../inet#filter#allowed_addresses Generally nftset does work for other domains where a PTR is not involved, the IPs for domains that are resolved through dnsmasq end up in the nftables set as expected. I'm hoping someone has some guidance on how to debug this further, thanks! -Clayton
signature.asc
Description: PGP signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss