ipset-dns is a lightweight DNS forwarding server that adds all resolved IPs to a given netfilter ipset. It is designed to be used in conjunction with dnsmasq's upstream server directive.

Practical use cases include routing over a given gateway traffic for particular web services or webpages that do not have a priori predictable IP addresses and instead rely on dizzying arrays of DNS resolutions.

This functionality has now been written directly into dnsmasq, which should be much easier to use than this project. See the --ipset option.

Some ISPs throttle connections to services like YouTube. Other times, you live places where there's no Netflix/Pandora/Hulu, but you've got a VPN.

The problem is, you don't want to route all your internet traffic over VPN -- just for YouTube and Pandora, say. It'd be nice to just whitelist a static IP range, but some services, like YouTube, have a thousands of caching servers in a modicum of IP ranges, and it's just too much of a hassle to compile the list beforehand.

So instead, you put ipset-dns on your router, and then everyone and every XBox/PS3/whatever on your wifi network will benefit from the superior bandwidth and/or geo-availability.

# ipset-dns name-of-v4-ipset name-of-v6-ipset [binding-address:]listening-port upstream-dns-server[:upstream-dns-server-port]

ipset-dns binds only to localhost. It will daemonize unless the NO_DAEMONIZE environment variable is set. If either name-of-v4-ipset or name-of-v6-ipset are empty strings, then the ipset for the respective address family will not be utilized.

Linux >= 2.6.32:

$ make

Linux >= 2.6.16 or >= 2.4.36:

$ make OLD_IPSET=1

In dnsmasq.conf:

server=/c.youtube.com/127.0.0.1#1919

Make an ipset:

# ipset -N youtube iphash

Start the ipset-dns server:

# ipset-dns youtube [127.0.0.1:]1919 8.8.8.8[:53]

Query a hostname:

# host r4---bru02t12.c.youtube.com
r4---bru02t12.c.youtube.com is an alias for r4.bru02t12.c.youtube.com.
r4.bru02t12.c.youtube.com has address 74.125.216.51

Observe that it was added to the ipset:

# ipset -L youtube
Name: youtube
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:
74.125.216.51

The following script routes youtube and netflix over two different repective gateways. It assumes you're using dnsmasq or similar to manage caching and selectively using upstream servers:

server=/c.youtube.com/127.0.0.1#39128
server=/netflix.com/127.0.0.1#39129

The network interfaces tun11 and tun12 are assumed to be OpenVPN tunnels, though they may be any other kind of interface with a route. These devices are assumed to have some form of masquerading and IP forwarding turned on already.

The mangle iptables table is used to set a firewall mark on packets that match an ipset tended to by ipset-dns. A routing table is created and a rule is entered that sends packets marked by iptables to the correct routing table. Finally, a default route is given to the marked routing table.

Two ipset-dns daemons are started, one for each of the routes, using the ports given by dnsmasq. Lastly, SIGHUP is sent to dnsmasq to flush its cache.

sets() {
	iptables -t mangle -D PREROUTING -m set --set "$1" dst,src -j MARK --set-mark "$2" 2>/dev/null
	ipset -X "$1" 2>/dev/null
	ipset -N "$1" iphash
	iptables -t mangle -A PREROUTING -m set --set "$1" dst,src -j MARK --set-mark "$2"
}

sets youtube 1
sets netflix 2

routes() {
	echo 0 > /proc/sys/net/ipv4/conf/$2/rp_filter
	ip route flush table $1 2>/dev/null
	ip rule del table $1 2>/dev/null
	ip rule add fwmark $1 table $1 priority 1000
	ip route add default via "$(ip route show dev $2 | head -n 1 | cut -d ' ' -f 1)" table $1
}

routes 1 tun12
routes 2 tun11

killall ipset-dns 2>/dev/null
ipset-dns youtube [127.0.0.1:]39128 8.8.8.8[:53]
ipset-dns netflix [127.0.0.1:]39129 8.8.8.8[:53]

killall -SIGHUP dnsmasq

• Copyright (C) 2013, 2017 Jason A. Donenfeld [email protected]. All Rights Reserved.

DNS parsing code loosely based on uClibc's resolv.c:

• Copyright (C) 1998 Kenneth Albanowski [email protected], The Silver Hammer Group, Ltd.
• Copyright (C) 1985, 1993 The Regents of the University of California. All Rights Reserved.

This project is licensed under the GPLv2. Please see COPYING for more information.