forked from NLnetLabs/unbound
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'nlnet/master'
* nlnet/master: (22 commits) Nicer spelling and layout. - For NLnetLabs#45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements. - Fix memleak in unit test, reported from the clang 8.0 static analyzer. - Fix python dict reference and double free in config. - Merge PR NLnetLabs#6: Python module: support multiple instances - Merge PR NLnetLabs#5: Python module: define constant MODULE_RESTART_NEXT - Merge PR NLnetLabs#4: Python module: assign something useful to the per-query data store 'qdata' Noted in Changelog. - Added documentation to the ipset files (for doxygen output). - make depend - Fix to make unbound-control with ipset, remove unused variable, use unsigned type because of comparison, and assign null instead of compare with it. Remade lex and yacc output. - PR NLnetLabs#28: IPSet module, by Kevin Chou. Created a module to support the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Fix to omit RRSIGs from addition to the ipset. - Fix for NLnetLabs#24: Fix abort due to scan of auth zone masters using old address from previous scan. - Fix NLnetLabs#39: In libunbound, leftover logfile is close()d unpredictably. - Master contains version 1.9.3 in development. fix segmentation fault rollback the code bugfix performance improvement edit config parser to support ipset Add support for ipset Document how to configure multiple python modules Support multiple python module instances ...
- Loading branch information
Showing
25 changed files
with
4,528 additions
and
3,498 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
## Created a module to support the ipset that could add the domain's ip to a list easily. | ||
|
||
### Purposes: | ||
* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn. | ||
So, I set up a transparent proxy to proxy the traffic which has been blocked only. | ||
At the final step, I need to install a dns service which would work with ipset well to launch the system. | ||
I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community. | ||
``` | ||
# unbound.conf | ||
server: | ||
... | ||
local-zone: "facebook.com" ipset | ||
local-zone: "twitter.com" ipset | ||
local-zone: "instagram.com" ipset | ||
more social website | ||
ipset: | ||
name-v4: "gfwlist" | ||
``` | ||
``` | ||
# iptables | ||
iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 | ||
iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800 | ||
``` | ||
|
||
* This patch could work with iptables rules to batch block the IPs. | ||
``` | ||
# unbound.conf | ||
server: | ||
... | ||
local-zone: "facebook.com" ipset | ||
local-zone: "twitter.com" ipset | ||
local-zone: "instagram.com" ipset | ||
more social website | ||
ipset: | ||
name-v4: "blacklist" | ||
name-v6: "blacklist6" | ||
``` | ||
``` | ||
# iptables | ||
iptables -A INPUT -m set --set blacklist src -j DROP | ||
ip6tables -A INPUT -m set --set blacklist6 src -j DROP | ||
``` | ||
|
||
### Notes: | ||
* To enable this module the root privileges is required. | ||
* Please create a set with ipset command first. eg. **ipset -N blacklist iphash** | ||
|
||
### How to use: | ||
``` | ||
./configure --enable-ipset | ||
make && make install | ||
``` | ||
|
||
### Configuration: | ||
``` | ||
# unbound.conf | ||
server: | ||
... | ||
local-zone: "example.com" ipset | ||
ipset: | ||
name-v4: "blacklist" | ||
``` |
Oops, something went wrong.