![]() ![]() are added to /var/log/pihole.log if you do it properly. You can see what happens as lines like ipset add. To add the IPs of all queries to the pihole ipset. The dnsmasq man page wrongly suggests that you need a domain for this to work but maybe this is only a Pi-hole enhancement. It is very performant and a lot better than what other popular script like fail2ban are doing with adding thousands of individual rules to the firewall. I am using ipset with Pi-hole for a long time. Since an nftset can hold only IPv4 or IPv6 addresses, this avoids errors being logged for addresses of the wrong type.įor nftset, the same restrictions as for conntrack apply (you have to compile FTL from source). If the spec starts with 4# or 6# then only A or AAAA records respectively are added to the set. The family, table and set are passed directly to the nft. Similar to the -ipset option, but accepts one or more nftables ( ipset is a companion application for the iptables Linux firewall)įurthermore, FTL also contains support for the newer nftables: Domains and subdomains are matched in the same way as -address. If multiple setnames are given, then the addresses are placed in each of them, subject to the limitations of an IP set (IPv4 addresses cannot be stored in an IPv6 IP set and vice versa). Places the resolved IP addresses of queries for one or more domains in the specified Netfilter IP set. This means you will have to compile FTL from source which is, however, an easy task as you can just follow our step-by-step guide. ![]() Dnsmasq must have conntrack support compiled in and the kernel must have conntrack support included and configured.Īs this feature requires kernel support, we do not include it in the pre-compiled FTL binaries. This allows traffic generated by dnsmasq to be associated with the queries which cause it, useful for bandwidth accounting and firewalling. Read the Linux connection track mark associated with incoming DNS queries and set the same mark value on upstream traffic used to answer those queries. This is already possible, you may want to check it the following options: I will be glad for any inputs, comments, idea extensions. Packages/README.md at ae7f62d637d86b8fe6ae03cdce948ab2d25ff19b īy this feature, there will be another layer of the security. In case the malicious site does have registered dns domain, than it will be very likely filtered by pi-hole adlists or for example openwrt BanIP, which blocks a lot of IP subnets based IP sets which are updated daily. ![]() It is unlikely that bogus/malicious services on the internet are having dns registered domain. This prevents malicious code to contact Command and Control servers. any software with hard coded IPs would not be able to access the remote server via IP only.If any site would be accessed directly by IP, without resolving the name, it would be blocked. It would be nice, if pi-hole could interact with iptables firewall and create allow rule for destination (dns resolved IP) and source (client IP who requested it).Īny client in the network could then access the site only when it was resolved by the pi-hole. I am thinking about the feature which could improve security in the network. ![]()
0 Comments
Leave a Reply. |