Hooks on DNS resolution

[rande]

I would like to add a way to add iptables rules based on DNS query. This can be usefull if the DNS server is on the gateway with different outbound interfaces.

This can be done by calling an external program when the resolution is done (can be called once before the cache is set). It will required to have a script to be called on start, so it will be possible to clean the state (iptables).

[looterz]

I think for ease of use and security, webhooks would be a good solution for something like this, and would allow for users to respond to grimd events locally or remotely without much hassle.

You could create a small web-server with your iptables altering application and point grimd at it, and it would send data to specified endpoints on dns events. Would this work for what you need?

[elico]

@looterz @rande it would be better to use ipset compared to raw iptables.
A small webserver is nice but it's much simpler to define in config file the

• iptset command location
• ipset ip-hash name
• execute it using a go routine or not

@rande now after reading the issue more then 5 time I am thinking that maybe I didn't understood the idea.

[ryancdotorg]

Just wanted to reference the ipset-dns tool here: https://git.zx2c4.com/ipset-dns/about/ - the code shows how to do this without having to call an external program. It's extremely useful for deny-by-default egress filtering, and selective use of VPN.

Note that it's been integrated into dnsmasq now - I'm using that to do the firewall stuff with grimd to do filtering.