lixingcong / dnsmasq-regex Goto Github PK

In my dnsmasq.conf file, I have two rules:

# Allow address:
server=/firebaseio.com/#

# Block any address containing 4 numbers:
address=/:.*[0-9]{4,4}.*:/

Now if I do dig firebaseio.com, I get the correct server IP address. But if I do dig s-usc1a-nss-2026.firebaseio.com (which is covered by the regex), then I get a NXDOMAIN/127.0.0.1 response.

Since the first rule exists before the second, logically it should override the regex. But it seems like it is not doing so. Is this the expected behaviour?

I am trying to use dnsmasq-regex on a FreeBSD 13.2 system:

$ uname -a
FreeBSD fbsd13_2 13.2-RELEASE FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC amd64

$ c++ --version
FreeBSD clang version 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc12386ae247c)
Target: x86_64-unknown-freebsd13.2
Thread model: posix
InstalledDir: /usr/bin

and in doing so there are warnings when compiling due to data alignment issues:

8 warnings generated.
cc -Wall -W -O2 -DHAVE_REGEX -DVERSION='"2.89-44-g9bbf098"' -c nftset.c
In file included from nftset.c:18:
./dnsmasq.h:352:18: warning: field 'addr' with variable sized type 'union all_addr' not at the end of a struct or class is a GNU extension [-Wgnu-variable-sized-type-not-at-end]
union all_addr addr;
^
./dnsmasq.h:418:18: warning: field 'addr' with variable sized type 'union all_addr' not at the end of a struct or class is a GNU extension [-Wgnu-variable-sized-type-not-at-end]
union all_addr addr;

Are these warnings superficial and can they be ignored?
Or does one have to add some compiler flags?

I am having an error on Android (LineageOS) I wonder if you can help me please..

I downloaded the Android NDK. Then I export the necessary variables:

export NDK_PROJECT_PATH=/home/myuser/Library/Projects/dnsmasq-Android/android-ndk-r26b/
export ANDROID_NDK=$NDK_PROJECT_PATH
export NDK=$NDK_PROJECT_PATH
export PATH=$NDK/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH

Then I build it using the NDK version of make:

../android-ndk-r26b/prebuilt/linux-x86_64/bin/make clean
../android-ndk-r26b/prebuilt/linux-x86_64/bin/make ARCH=arm64-v8a

Now it compiles fine. So I copy the executable to the phone and when I run it, it gives this error:
/system/bin/sh: /data/local/tmp/dnsmasq: not executable: 64-bit ELF file

If I run file dnsmasq I get: dnsmasq: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=2957f2a589e1b2e1d7ab9c97a89c9121a6bcd5f4, for GNU/Linux 4.4.0, not stripped Which looks like the executable wasn't compiled for Android.. Which means my compilaion commands aren't correct..

Are you familiar with Android building please?

Example of config file example_config.conf:

 # listening DNS port
 port=30000
 
 # do not read /etc/resolv.conf at all
 no-resolv
 
 # do not re-read /etc/resolv.conf when file was changed by ISP
 no-poll
 
 # default upstream dns server
 server=1.1.1.1
 
 address=/:setup.[a-zA-Z]+\.apple-dns\.net.:/10.10.10.10
 
 
 log-debug
 log-queries=extra
 log-facility=/dev/stdout
 keep-in-foreground
 no-daemon

Running the dnsquery -C example_config.conf

Direct query for "setup.fe.apple-dns.net" works as expected:

username@mac:~$ dig @127.0.0.1 -p30000 -t A setup.fe.apple-dns.net. +short
10.10.10.10

However when I query "setup.icloud.com", which is a CNAME pointing to "setup.fe.apple-dns.net" it does not get processed trough address=/: ... :/ regex:

username@mac:~$ dig @127.0.0.1 -p30000 -t A setup.icloud.com +short
setup.fe.apple-dns.net.
17.248.190.138
17.248.190.206
17.248.190.112
17.248.190.68
17.248.168.72
17.248.190.71
17.248.168.68
17.248.190.104

Expected behavior would be for setup.icloud.com query to get "10.10.10.10" response, same as for setup.fe.apple-dns.net. Because setup.icloud.com is a CNAME pointing to setup.fe.apple-dns.net

From the doc:

The regex lines will generate a linkedlist to match(from top to bottom). If the domain matched both regex servers, DNS query will be forwarded the one which appears first.

Would it be possible to use that list as a failover? If the first not responds or fails, send the request to the second (or to the global server definition)?

I want to force a domain regex to an ip address, for example this

r([0-9]{1,2})[^ -].*.googlevideo.com
to
74.123.123.123, what is the writing format? I've tried several options but it doesn't work.

dnsmasq.conf snippet:

server=/:.keyword.:/1.1.1.1

dig a.keyword.com

OK

dig a.keyword.com +tcp

gets REFUSED query response.

I think I found a bug in regular expression matching:

The rule:

address=/:^[a-z]{4,4}[0-9]{2,2}$:/

Will not match abcd11.com.

Neither will:
address=/:[a-z]{4,4}[0-9]{2,2}:/
address=/:[a-z]{4,4}[0-9]{2,2}$:/

Hi,
I'm following the compile instructions exactly,
but on ./dnsmasq/src/dnsmasq --version i get :

Dnsmasq version 2.89-44-g9bbf098 Copyright (c) 2000-2023 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n regex no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset auth no-cryptohash no-DNSSEC loop-detect no-inotify dumpfile

the compile options contain "regex" but not "regex(+ipset,nftset)"
is this because of "no-ipset no-nftset" coming from the main repo ?

What would be the syntax in the configuration file say to match the fqdns with a structured prefix. E.g.

A123TEST.bozo.net
C999HELLO.bozo.net

server=/:[A-D][0-9][0-9][0-9].*.bozo.net:/1.2.3.4

Does not seem to match the above queries and have them sent to 1.2.3.4

I have setup a list of allowed domains which previously worked on official dnsmasq like this:
[dnsmasq.conf]
# AdGuard IPv4/IPv6 nameservers
server=140.90.14.15
server=140.90.15.16
server=2a10:50c0::bad1:ff
server=2a10:50c0::bad2:ff

[blocklist.conf]
address=/*/#
server=/*.edu/#
server=/*.io/#
server=/*.org/#

The first address line blocks everything, so each individual domain that does not end in .edu, .io or .org needs to be unblocked manually, which is how I have configured my dnsmasq blocklist as you will see below, normally it would look like this:
server=/*abc.com/#

non-regex addresses like the three server lines after the address line works fine, however, when I use the regex syntax, the hashtag symbol (#) that normally redirects to the nameservers I previously configured stops working, along with dnsmasq built-in subdomain wildcard (*) support, which would accurately unblock both abc.com and subdomains of *.abc.com, while also preventing any typos from being unblocked like aabc.com and abcabc.org, etc. According to Perl Syntax described here, the [^...] metacharacter should match anything that's NOT within the brackets, this is required so the pattern can have more specificity and thus avoid blocking the previous examples of typos, see this Squid ERE regex syntax for example:
^.*\.?[^a-zA-Z0-9](keyword1|keyword2)\.[a-zA-Z]{2,}.*$

This Squid url_regex pattern blocks every keyword that's included in the pattern, the dnsmasq-regex equivalent which uses PCRE syntax should look something like this:
server=/:.*[.]?[^\w]abc[.]:/#

However since the hashtag (#) symbol stops working properly as previously stated, I have to manually specify the nameservers I already configured which can be quite cumbersome as I have many many domains that redirects to the default nameserver:
server=/:.*[.]?[^\w]abc[.]:/1.1.1.3

This does not work as expected, removing the [^\w] from the pattern will give unintended matches like aaaaaaaaaabc.com which is why it must be there to accurately block only the specified domain, but is the closest thing to a functional pattern.

I have compiled dnsmasq-regex with the options that are enabled by default on official dnsmasq package which are:
#define HAVE_DBUS
#define HAVE_CONNTRACK
#define HAVE_IDN
#define HAVE_LIBIDN2
#define HAVE_NFTSET
#define HAVE_DNSSEC

Since without HAVE_DBUS enabled, the new compiled dnsmasq-regex completely fails to launch, the others are also there because they already come with standard dnsmasq, so just for precaution I added them back.

Last but not least, check this

Hi Team - could we broaden the REGEX support and add such for the dhcp-host= directive?

I have submitted the package to AUR (Archlinux User Repository), Archlinux users could install the package to their system easily by the package manager, using the following command:

yay -S dnsmasq-regex

Could you please add the information to README.md?

Hi... Awesome work! But I recommend to change your Makefile to this to have the full power of dnsmasq:

# turn on/off for regex or regex_ipset
- DNSMASQ_COPTS="-DHAVE_REGEX -DHAVE_REGEX_IPSET"
+ DNSMASQ_COPTS="-DHAVE_IDN -DHAVE_DNSSEC -DHAVE_LUA -DHAVE_DBUS -DHAVE_libidn2 -DHAVE_CONNTRACK -DHAVE_REGEX -DHAVE_REGEX_IPSET -DHAVE_LUASCRIPT "

.PHONY: submodule
submodule:
-        cd dnsmasq && $(MAKE) COPTS=$(DNSMASQ_COPTS)
+        cd dnsmasq && $(MAKE) all-i18n COPTS=$(DNSMASQ_COPTS)

$(BIN):$(PATCHED)
-        cd dnsmasq && $(MAKE) COPTS=$(DNSMASQ_COPTS)
+        cd dnsmasq && $(MAKE) all-i18n COPTS=$(DNSMASQ_COPTS)

Now run make and you will have almost all options compiled into dnsmasq.
Keep up this great work!!!