Routing based on DNS



  • In my environment I route all traffic via VPN. But occasionally I need to route traffic to specific hosts (destinations) via WAN.
    For dnsmasq I used a "ipset" option like this:

    ipset=/github.com/no_vpn_destinations
    

    How I can achieve the same for Unbound?
    Thank you.



  • Any suggestions?



  • You can load IPs an network lists as an Alias in Firewall > Aliases > URLs.
    Then use the alias in a policy routing rule to route the traffic over a specified gateway.


  • Galactic Empire

    Ah how's that for timing, here is the IP info:-

    Github = ASN 36459

    mac-pro:~ andy$ whois -h whois.radb.net -- '-i origin 36459' | grep ^route:
    route: 185.199.108.0/22
    route: 192.30.252.0/22
    route: 140.82.112.0/20
    route: 185.199.108.0/22
    route: 185.199.108.0/23
    route: 185.199.110.0/23
    route: 185.199.108.0/24
    route: 185.199.109.0/24
    route: 185.199.110.0/24
    route: 185.199.111.0/24
    route: 192.30.252.0/22
    route: 192.30.252.0/23
    route: 192.30.252.0/24
    route: 192.30.253.0/24
    route: 192.30.254.0/24
    route: 192.30.255.0/24
    mac-pro:~ andy$

    mac-pro:~ andy$ whois -h whois.radb.net -- '-i origin 36459' | grep ^route6:
    route6: 2620:0112:3000::/48
    route6: 2620:112:3000::/44
    route6: 2a0a:a440::/29
    route6: 2a0a:a440::/29
    route6: 2620:112:3000::/44
    mac-pro:~ andy$



  • Is there any way to automate the fetching of that list into an alias table? The IPs are unlikely to change that often with GitHub but with other sites the situation might be different.



  • Url tables are updated once a day by cron. But shorten the update interval in cron doesn't have any effect, since the minimal file age (86400 seconds) is also hard-coded in the update script.



  • I was more asking how I find a suitable URL for such list if I know the ASN. I tried to look around in the internet but none of the tools I found don't output a plain text list and pfSense's URL table seems to require a plain text flat list.



  • @nogbadthebad said in Routing based on DNS:

    whois -h whois.radb.net -- '-i origin 36459'

    This is interesting.
    Few questions:

    1. How I can see IPs of the "Host aliases"
    2. Can I add/modify/replace IPs/hosts externally?

  • Galactic Empire

    1. Diagnostics ->Tables -> select alias

    2. Don't think you can, but you could import them via the web gui Firewall -> Aliases -> All scroll down to the bottom & Import.

    As KPA mentioned the subnets assigned to Github are unlikley to change.



  • @nogbadthebad said in Routing based on DNS:

    1. Diagnostics ->Tables -> select alias

    2. Don't think you can, but you could import them via the web gui Firewall -> Aliases -> All scroll down to the bottom & Import.

    As KPA mentioned the subnets assigned to Github are unlikley to change.

    Thank you.

    github was just an example.



  • @downunderm the easiest way for this is to use pfBlockerNG and create a IP list to Alias native. Then you can use the alias created by pfBlockerNG in your rules. This way if the IPs change, it will auto update based on the interval you set for it.

    it can look something like this:

    0_1534063735952_pfblockerng.png



  • @jrgx19 This looks very promising. Thank you.