dnsmasq integration?

[wellloaded]

Is there any straight forward way to have these lists used by dnsmasq?

Or do we perhaps need a new format since dnsmasq defines domains in the format:

address=/foobar.test/127.0.0.1

thanks

[rusty-snake]

I wrote a program which downloads domains.list and converts it into a dnsmasq configuration. See https://gitlab.com/rusty-snake/uhb2dnsmasq.

What I learned?

1. dnsmasq also blocks sub-domains. This can result in over-blocking, see [FALSE-POSITIVE?] eTLDs shouldn't be blocked whitelist#157 for an example.
2. Not all domains in the list are accepted by dnsmasq (presumably wrong domains whitelist#154, https://gitlab.com/rusty-snake/uhb2dnsmasq/-/blob/ea1d265be8764a46c6ba5b32843964d4343ab1dd/src/main.rs#L116 and much more). You need to do syntax checks, have a own badlist or use heuristics to filter such domains. (Note: the syntax checks in uhb2dnsmasq have a lot of false positive due to Domains with underscores are considered as invalid rushmorem/publicsuffix#33.)
3. For the record: dnsmasq's addn-hosts option still resolves AAAA queries (IPv6) if there is a 0.0.0.0 example.com line in the hosts-file. Of course A queries (IPv4) are resolved to 0.0.0.0.

[spirillen]

You guys should really try PowerDNS Recursor 😃 or Unbound (but I prefer to advise recursor as it do full support for RPZ)

In the recursor you can litterally attach a hosts formatted file and it does it very well

# etc-hosts-file        Path to 'hosts' file
# etc-hosts-file=/etc/hosts
# export-etc-hosts      If we should serve up contents from /etc/hosts
# export-etc-hosts=off
# export-etc-hosts-search-suffix        Also serve up the contents of /etc/hosts with this suffix
# export-etc-hosts-search-suffix=

sudo grep 'local' /etc/powerdns/recursor.conf.dpkg-dist 
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
local-address=0.0.0.0, ::1
# local-port    port to listen on
# local-port=53
# logging-facility      Facility to log messages as. 0 corresponds to local0
# non-local-bind        Enable binding to non-local addresses by using FREEBIND / BINDANY socket options

Now disable systemd-resold and dnsmasq, restart pdns-recursor you have started the road to your own control of DNS quesries

[amastelek]

Just use the --addn-hosts= option in the configuration file. Works like a charm.

[rusty-snake]

Just use the --addn-hosts= option in the configuration file. Works like a charm.

@amastelek How did you tested this?

3. For the record: dnsmasq's addn-hosts option still resolves AAAA queries (IPv6) if there is a 0.0.0.0 example.com line in the hosts-file. Of course A queries (IPv4) are resolved to 0.0.0.0.

[spirillen]

3. For the record: dnsmasq's addn-hosts option still resolves AAAA queries (IPv6) if there is a 0.0.0.0 example.com line in the hosts-file. Of course A queries (IPv4) are resolved to 0.0.0.0.

That is not an issue within the PowerDNS recursor, it only serves what it sees.

If record example.org is 0.0.0.0, the example.org is 0.0.0.0 and nothing else, it have found and answer....

Don't remember exactly how this is for unbound, but I do believe to remember it is similar to dnsmasq's issues, but check it online to be sure.