xref: /openbsd-src/usr.sbin/unbound/doc/README.ipset.md (revision c981f76ffed932cceb8055da64799bdb3a89e959)
1*c981f76fSsthen## Created a module to support the ipset that could add the domain's ip to a list easily.
2*c981f76fSsthen
3*c981f76fSsthen### Purposes:
4*c981f76fSsthen* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
5*c981f76fSsthenSo, I set up a transparent proxy to proxy the traffic which has been blocked only.
6*c981f76fSsthenAt the final step, I need to install a dns service which would work with ipset well to launch the system.
7*c981f76fSsthenI did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
8*c981f76fSsthen```
9*c981f76fSsthen# unbound.conf
10*c981f76fSsthenserver:
11*c981f76fSsthen  ...
12*c981f76fSsthen  local-zone: "facebook.com" ipset
13*c981f76fSsthen  local-zone: "twitter.com" ipset
14*c981f76fSsthen  local-zone: "instagram.com" ipset
15*c981f76fSsthen  more social website
16*c981f76fSsthen
17*c981f76fSsthenipset:
18*c981f76fSsthen  name-v4: "gfwlist"
19*c981f76fSsthen```
20*c981f76fSsthen```
21*c981f76fSsthen# iptables
22*c981f76fSstheniptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
23*c981f76fSstheniptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
24*c981f76fSsthen```
25*c981f76fSsthen
26*c981f76fSsthen* This patch could work with iptables rules to batch block the IPs.
27*c981f76fSsthen```
28*c981f76fSsthen# unbound.conf
29*c981f76fSsthenserver:
30*c981f76fSsthen  ...
31*c981f76fSsthen  local-zone: "facebook.com" ipset
32*c981f76fSsthen  local-zone: "twitter.com" ipset
33*c981f76fSsthen  local-zone: "instagram.com" ipset
34*c981f76fSsthen  more social website
35*c981f76fSsthen
36*c981f76fSsthenipset:
37*c981f76fSsthen  name-v4: "blacklist"
38*c981f76fSsthen  name-v6: "blacklist6"
39*c981f76fSsthen```
40*c981f76fSsthen```
41*c981f76fSsthen# iptables
42*c981f76fSstheniptables -A INPUT -m set --set blacklist src -j DROP
43*c981f76fSsthenip6tables -A INPUT -m set --set blacklist6 src -j DROP
44*c981f76fSsthen```
45*c981f76fSsthen
46*c981f76fSsthen### Notes:
47*c981f76fSsthen* To enable this module the root privileges is required.
48*c981f76fSsthen* Please create a set with ipset command first. eg. **ipset -N blacklist iphash**
49*c981f76fSsthen
50*c981f76fSsthen### How to use:
51*c981f76fSsthen```
52*c981f76fSsthen./configure --enable-ipset
53*c981f76fSsthenmake && make install
54*c981f76fSsthen```
55*c981f76fSsthen
56*c981f76fSsthen### Configuration:
57*c981f76fSsthen```
58*c981f76fSsthen# unbound.conf
59*c981f76fSsthenserver:
60*c981f76fSsthen  ...
61*c981f76fSsthen  local-zone: "example.com" ipset
62*c981f76fSsthen
63*c981f76fSsthenipset:
64*c981f76fSsthen  name-v4: "blacklist"
65*c981f76fSsthen```
66