xref: /netbsd-src/external/bsd/unbound/dist/doc/README.ipset.md (revision 01049ae6d55a7fce6c6379cd1e0c997c04dc0061)
1*01049ae6Schristos## Created a module to support the ipset that could add the domain's ip to a list easily.
2*01049ae6Schristos
3*01049ae6Schristos### Purposes:
4*01049ae6Schristos* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
5*01049ae6SchristosSo, I set up a transparent proxy to proxy the traffic which has been blocked only.
6*01049ae6SchristosAt the final step, I need to install a dns service which would work with ipset well to launch the system.
7*01049ae6SchristosI did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
8*01049ae6Schristos```
9*01049ae6Schristos# unbound.conf
10*01049ae6Schristosserver:
11*01049ae6Schristos  ...
12*01049ae6Schristos  local-zone: "facebook.com" ipset
13*01049ae6Schristos  local-zone: "twitter.com" ipset
14*01049ae6Schristos  local-zone: "instagram.com" ipset
15*01049ae6Schristos  more social website
16*01049ae6Schristos
17*01049ae6Schristosipset:
18*01049ae6Schristos  name-v4: "gfwlist"
19*01049ae6Schristos```
20*01049ae6Schristos```
21*01049ae6Schristos# iptables
22*01049ae6Schristosiptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
23*01049ae6Schristosiptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
24*01049ae6Schristos```
25*01049ae6Schristos
26*01049ae6Schristos* This patch could work with iptables rules to batch block the IPs.
27*01049ae6Schristos```
28*01049ae6Schristos# unbound.conf
29*01049ae6Schristosserver:
30*01049ae6Schristos  ...
31*01049ae6Schristos  local-zone: "facebook.com" ipset
32*01049ae6Schristos  local-zone: "twitter.com" ipset
33*01049ae6Schristos  local-zone: "instagram.com" ipset
34*01049ae6Schristos  more social website
35*01049ae6Schristos
36*01049ae6Schristosipset:
37*01049ae6Schristos  name-v4: "blacklist"
38*01049ae6Schristos  name-v6: "blacklist6"
39*01049ae6Schristos```
40*01049ae6Schristos```
41*01049ae6Schristos# iptables
42*01049ae6Schristosiptables -A INPUT -m set --set blacklist src -j DROP
43*01049ae6Schristosip6tables -A INPUT -m set --set blacklist6 src -j DROP
44*01049ae6Schristos```
45*01049ae6Schristos
46*01049ae6Schristos### Notes:
47*01049ae6Schristos* To enable this module the root privileges is required.
48*01049ae6Schristos* Please create a set with ipset command first. eg. **ipset -N blacklist iphash**
49*01049ae6Schristos
50*01049ae6Schristos### How to use:
51*01049ae6Schristos```
52*01049ae6Schristos./configure --enable-ipset
53*01049ae6Schristosmake && make install
54*01049ae6Schristos```
55*01049ae6Schristos
56*01049ae6Schristos### Configuration:
57*01049ae6Schristos```
58*01049ae6Schristos# unbound.conf
59*01049ae6Schristosserver:
60*01049ae6Schristos  ...
61*01049ae6Schristos  local-zone: "example.com" ipset
62*01049ae6Schristos
63*01049ae6Schristosipset:
64*01049ae6Schristos  name-v4: "blacklist"
65*01049ae6Schristos```
66