Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing based on DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 5 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      downunderm
      last edited by

      In my environment I route all traffic via VPN. But occasionally I need to route traffic to specific hosts (destinations) via WAN.
      For dnsmasq I used a "ipset" option like this:

      ipset=/github.com/no_vpn_destinations
      

      How I can achieve the same for Unbound?
      Thank you.

      1 Reply Last reply Reply Quote 0
      • D
        downunderm
        last edited by

        Any suggestions?

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          You can load IPs an network lists as an Alias in Firewall > Aliases > URLs.
          Then use the alias in a policy routing rule to route the traffic over a specified gateway.

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by NogBadTheBad

            Ah how's that for timing, here is the IP info:-

            Github = ASN 36459

            mac-pro:~ andy$ whois -h whois.radb.net -- '-i origin 36459' | grep ^route:
            route: 185.199.108.0/22
            route: 192.30.252.0/22
            route: 140.82.112.0/20
            route: 185.199.108.0/22
            route: 185.199.108.0/23
            route: 185.199.110.0/23
            route: 185.199.108.0/24
            route: 185.199.109.0/24
            route: 185.199.110.0/24
            route: 185.199.111.0/24
            route: 192.30.252.0/22
            route: 192.30.252.0/23
            route: 192.30.252.0/24
            route: 192.30.253.0/24
            route: 192.30.254.0/24
            route: 192.30.255.0/24
            mac-pro:~ andy$

            mac-pro:~ andy$ whois -h whois.radb.net -- '-i origin 36459' | grep ^route6:
            route6: 2620:0112:3000::/48
            route6: 2620:112:3000::/44
            route6: 2a0a:a440::/29
            route6: 2a0a:a440::/29
            route6: 2620:112:3000::/44
            mac-pro:~ andy$

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Is there any way to automate the fetching of that list into an alias table? The IPs are unlikely to change that often with GitHub but with other sites the situation might be different.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by viragomann

                Url tables are updated once a day by cron. But shorten the update interval in cron doesn't have any effect, since the minimal file age (86400 seconds) is also hard-coded in the update script.

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  I was more asking how I find a suitable URL for such list if I know the ASN. I tried to look around in the internet but none of the tools I found don't output a plain text list and pfSense's URL table seems to require a plain text flat list.

                  1 Reply Last reply Reply Quote 0
                  • D
                    downunderm
                    last edited by

                    @nogbadthebad said in Routing based on DNS:

                    whois -h whois.radb.net -- '-i origin 36459'

                    This is interesting.
                    Few questions:

                    1. How I can see IPs of the "Host aliases"
                    2. Can I add/modify/replace IPs/hosts externally?
                    J 1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad
                      last edited by NogBadTheBad

                      1. Diagnostics ->Tables -> select alias

                      2. Don't think you can, but you could import them via the web gui Firewall -> Aliases -> All scroll down to the bottom & Import.

                      As KPA mentioned the subnets assigned to Github are unlikley to change.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        downunderm @NogBadTheBad
                        last edited by

                        @nogbadthebad said in Routing based on DNS:

                        1. Diagnostics ->Tables -> select alias

                        2. Don't think you can, but you could import them via the web gui Firewall -> Aliases -> All scroll down to the bottom & Import.

                        As KPA mentioned the subnets assigned to Github are unlikley to change.

                        Thank you.

                        github was just an example.

                        1 Reply Last reply Reply Quote 0
                        • J
                          jrgx19 @downunderm
                          last edited by jrgx19

                          @downunderm the easiest way for this is to use pfBlockerNG and create a IP list to Alias native. Then you can use the alias created by pfBlockerNG in your rules. This way if the IPs change, it will auto update based on the interval you set for it.

                          it can look something like this:

                          0_1534063735952_pfblockerng.png

                          D 1 Reply Last reply Reply Quote 0
                          • D
                            downunderm @jrgx19
                            last edited by

                            @jrgx19 This looks very promising. Thank you.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.