Highlighted
Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 115
Solutions: 2

Dnsmasq Ipset

[ Edited ]

Dnsmasq has support for an ipset=/.../ option in its config. You specify a domain prefix (say... netflix.com), and any IPs that are resolved from in or below that prefix will be dynamically added to the given ipset. It's a cool feature. I actually wrote it myself and got it upstreamed. Unfortunately, EdgeMAX doesn't compile this option into the binary provided. Could 1.6.1 come with the ipset option compiled in? This would be extremely useful for a wide variety of use cases.

 

In otherwords, could you edit the config.h file to include "#define HAS_IPSET"?

Member
Posts: 128
Registered: ‎06-18-2013
Kudos: 115
Solutions: 2

Re: Dnsmasq Ipset

Hi folks. I'm attaching a binary of dnsmasq 2.72 that I compiled myself on the ERL, which I'm swapping out in a firstboot.d script, for anyone else who wants this. No, it's not good to run random binaries from strangers off the Internet, but maybe the existance of this will suggest that Ubnt start including it themselves!

 

 And here's a config exerpt. It makes the IP addresses resolved from certain domain suffixes be added to the "RouteThroughAmerica" IPSet:

 

service {
    dns {
        forwarding {
            cache-size 1000
            listen-on eth1
            listen-on vtun1
            options ipset=/netflix.com/pandora.com/RouteThroughAmerica
        }
    }
}
Attachment
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5471
Solutions: 1656
Contributions: 2

Re: Dnsmasq Ipset

Thanks for putting together the binary! As discussed before, for dnsmasq we are using the Debian package directly and the current version in wheezy does not support ipset yet. As discussed before, we try to use Debian packages as much as possible (to leverage the Debian updates/fixes/maintenance/etc. efforts), but of course when there are new features or important fixes we do build our own packages so this might be another case where we could look into that. Of course it would also be good if people who are interested can give this a try!

Member
Posts: 220
Registered: ‎10-04-2014
Kudos: 21
Solutions: 2

Re: Dnsmasq Ipset

I will absolutely try this, because I have a similar set of rules that I currently have to modify manually to make sure the traffic goes out the right WAN (in a dual-WAN setup) interface.

 

I'm also concerned that because I have a few "modify rules" defined, I've completely disabled offloading (as per your other thread).  I'll post a follow-up there so this doesn't get muddled.

 

Happy New Year.

Member
Posts: 215
Registered: ‎11-26-2014
Kudos: 78
Solutions: 12

Re: Dnsmasq Ipset

Hey, could you also share your firstboot.d script with it? So I don't have to frickle on that myself and maybe get some mistakes into it.

 

By the way, did you compile Dnsmasq with DNSSEC support? I would guess not, because the binary appears rather small - as I read DNSSEC support blows it up a bit.

 

Thank you for your work!

New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

I have been looking for this functionality!!!

 

zx2c4, can you please post a step-by-step for a complete novice to getting this functionality working?  Would really appreciate it.

New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

OK, so I think I have educated myself enough to be dangerous!  Could somebody please provide an example firstboot.d script that I can use to replace the binary?  My new dnsmasq binary is located in /config.

 

Thanks loads in advance!

Member
Posts: 263
Registered: ‎05-29-2014
Kudos: 148
Solutions: 23

Re: Dnsmasq Ipset

[ Edited ]

I repurposed some old script I've had lying around for a long time. I actually put mine in pre-config.d so it runs at each system startup (but it does compare the two binaries and only overwrites if the replacement version is different). That way I can always add a new version of the binary and know it will update next reboot, not just when I next upgrade the firmware (like if I were to use a firstboot.d script).

 

Anyway, here is my script adapted to your assumed values. Although it will determine where the runtime version of the original binary is located, you do have to specify the full path to the replacement version within the variable $NEW_BIN:

 

#!/bin/bash

OLD_BIN="dnsmasq"
NEW_BIN="/config/dnsmasq"

OLD_BIN=`which ${OLD_BIN}`
if diff -q ${OLD_BIN} ${NEW_BIN} >& /dev/null; then echo "${OLD_BIN} has already been replaced by custom version: ${NEW_BIN}" else echo "${OLD_BIN} needs to be replaced by custom version: ${NEW_BIN}" if ! [ -s ${OLD_BIN}.orig ]; then echo "Backing up ${OLD_BIN} to ${OLD_BIN}.orig" cp -rp ${OLD_BIN} ${OLD_BIN}.orig fi echo "Copying custom binary ${NEW_BIN} to ${OLD_BIN}" cp -rp ${NEW_BIN} ${OLD_BIN} fi exit 0

 

There's no real error processing in this, but not really much to go wrong with cp! Make sure the script runs as root. Easiest way is to change the ownership and set the setuid bit:

 

chown root:vyattacfg /config/scripts/pre-config.d/patch_dnsmasq.sh
chmod 4755 /config/scripts/pre-config.d/patch_dnsmasq.sh

 

 

New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

Thanks very much for your help!

 

I tried this last night and something's not quite right.  Clearly the script is doing something, since I cannot access the internet once I have rebooted with everything in place...

 

Things that I have checked are:

- The old bin is located in the /etc/init.d directory, but there is no dnsmasq.orig as I would have expected once the script has run.

- When I run "sudo service dnsmasq status" I get no response, it simply dumps me at the prompt.  With the original version the system would respond with a status message.

- If I run "sudo service dnsmasq start" or "restart" I get nothing either...

 

Should I have done something with the permissions of the new dnsmasq binary I downloaded from this thread?  All I did was download it and transfer to my /config directory, nothing more.

 

I feel like I'm really close - thanks again for your help!

Member
Posts: 263
Registered: ‎05-29-2014
Kudos: 148
Solutions: 23

Re: Dnsmasq Ipset

Dnsmasq is located at /usr/sbin/dnsmasq.

Yes, it must be executable and owned by root. The commands for that were in the previous post. Obviously now you would have to run it on the /usr/sbin/dnsmasq as well as the one in your config directory as the copy had already been made.
New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

OK - looks like the script ran just fine, and I can connect to the internet!  Woohoo!  Thanks so much.

 

As for the configuration files to take advantage of the ipset commands, do I put those in the /etc/dnsmasqd directory?  Do I have to change permissions on those also?  Do they need to follow a specific naming convention?

 

 

Thanks so much again, especially for the quick response!

Member
Posts: 263
Registered: ‎05-29-2014
Kudos: 148
Solutions: 23

Re: Dnsmasq Ipset

You can put the config in any file, of any name, under /etc/dnsmasq.d. Alternatively, and in my eyes better, you can actually configure it in the 'normal' EdgeOS config if you are familiar with the configuration via the command line. You can use the 'options' keyword.

I'm out and answering you on my phone at the moment so can't go into details off the top of my head but you should be able to find how to do that if you search the forum.
New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

I'm embarassed to say that I don't really know what I'm doing... :-(

I want to use a variation of the example configuration documented in the first post of this thread.  I tried editing for my requirements and inserting into a configuration file that I placed into /etc/dnsmasq.d but the service threw an error when I tried to restart.

I then tried to edit the dnsmasq.conf file in /etc which threw errors again, and for some reason I couldn't back those changes out and get the service to restart - it kept telling me there were errors in line 4...  I had to re-flash and start again to get everything working as it was.  Gah!

 

I've been scouring the forums and internet for a lead as to how I would load that sample configuration via CLI but I'm still none the wiser.

 

If you happen to have some time to help further when you are home I would surely appreciate it!

 

Thanks again.

New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

OK, should have had more faith in myself.

 

I've successfully navigated the CLI.  Now when I issue the command:

 

show services dns forwarding

 

I see the following configuration:

 

cache size 1000

listen-on eth1

listen-on vtun0

options ipset=/bbc.co.uk/RouteThroughUK

 

Now, I'm still not getting any traffic routing through vtun0 if I access bbc.co.uk.  Do I have to adjust something to tell the router to route traffic from the RouteThroughUK tables to vtun0?

Member
Posts: 263
Registered: ‎05-29-2014
Kudos: 148
Solutions: 23

Re: Dnsmasq Ipset

[ Edited ]

Glad you have the new dnsmasq binary in place and (hopefully) working now. You can test if it is populating the group by running the following command:

 

ipset -L RouteThroughUK

 

It should contain all the IP addresses returned by bbc.co.uk lookups if it is set up correctly. However, to accomplish what you appear to want there are more steps, you're right. At a high level you need  to:

 

1. Make sure address group 'RouteThroughUK' exists (or dnsmasq won't be able to populate it):

set firewall group address-group RouteThroughUK

2. You need to define a new routing table with vtun0 as the next hop interface (say, table 1):

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

3. You need to create a modify firewall that says all traffic with a destination in group RouteThroughUK should use routing table 1 (if that's what you defined it as in step 2):

set firewall modify RouteThroughUK rule 1 action modify
set firewall modify RouteThroughUK rule 1 destination group address-group RouteThroughUK
set firewall modify RouteThroughUK rule 1 modify table 1
set firewall modify RouteThroughUK rule 1 protocol all

4. You need to assign that modify firewall to your LAN interface, direction 'in':

set interfaces ethernet eth1 firewall in modify RouteThroughUK

Steps 1-4 must be done in 'configure' mode, remember to commit and save.

 

 

New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

Thanks very much again for the help, here's the latest:

 

ubnt@ubnt# commit
[ firewall group address-group RouteThroughUK ]
Unexpected type [hash:ip]

[ firewall modify RouteThroughUK rule 1 destination group address-group RouteThroughUK ]
Unexpected type [hash:ip]

[ interfaces ethernet eth1 firewall in modify RouteThroughUK ]
Firewall config error: Rule set RouteThroughUK is not configured

Commit failed

 

It looks like I had create an incorrect ipset with the hash:ip type.  I destroyed and recreated as a hash:net (I think!).

 

Despite the earlier commit errors, it seems to be routing some traffic through vtun0, but it's not working 100%.  Now I'm concerned that it's partially done and I'm not sure really what type of ipset I should have created and whether I need to back the firewall changes out and start again.

 

Help!

Member
Posts: 263
Registered: ‎05-29-2014
Kudos: 148
Solutions: 23

Re: Dnsmasq Ipset

Looks like you previously created a network group instead of an address group. Just delete it then create the address group. Or pick a different name so they don't clash. Former obviously better.
Member
Posts: 263
Registered: ‎05-29-2014
Kudos: 148
Solutions: 23

Re: Dnsmasq Ipset

Alternatively maybe you didn't create a group at all in your config and dnsmasq did it automatically (so now the official config way fails)... In which case you need to delete that group outside of the config by using 'ipset del RouthThroughUK'
New Member
Posts: 20
Registered: ‎01-20-2016

Re: Dnsmasq Ipset

So, the full story is that I ran the ipset -L RouteThroughUK command and it told me it didn't exist, so I got on the Google. I created the set using the hash:ip option (it wouldn't create unless I added some sort of option) but it looks like that was the wrong type. I deleted it using the destroy command and tried again with the aforementioned switch.

 

I also remembered that, since the commit didn't complete, I didn't save, so I simply rebooted the router to lose the botched changes.

 

So, I guess my question now is: what is the correct type of ipset I should create? I think that would take care of my few remaining problems...

Member
Posts: 263
Registered: ‎05-29-2014
Kudos: 148
Solutions: 23

Re: Dnsmasq Ipset

Create it as oer my instructions as they're correct.