i was testing out dnsmasq firewall aliases. specifically attempting to block youtube. i setup dnsmasq as the primary DNS with unbound on forwarder on port 53053.
(https://i.imgur.com/frwMBrB.png)
(https://i.imgur.com/E5O24CG.png)
i am not sure i need query servers sequentially or not? documentation is unclear.
then i attempt to access youtube.
curl https://youtube.com
watching the firewall alias, i see it updated.
(https://i.imgur.com/f4zYjHf.png)
but the original curl request works. if i then try and access it again, its blocked. it seems like dnsmasq does not update the firewall alias synchronously, so the client is able to see the dns resolution before the alias is updated and retrieve the web page. is this a bug? or intended behavior?
There is a short delay that can let the first request through (request is faster than PF reloads the new table entry).
Same happens with allowing, there is also a delay, so the first request could fail but browsers retry rather quickly.
Its not really a bug per se, just application inter operation (they don't know about each other so why should one of them wait).
It's not perfect but it does it's job for specific requirements (e.g. allowing windows update only domains via wildcards).
yea its unfortunate, can't really use it for firewall blocking of domains. domains like tiktok and youtube which have many IPs, you can actually access the site multiple times until you go through all the DNS round robin IPs before it will block it reliably.
ok well thanks for the confirmation. i can at least stop testing this setup :)
For real waiting this would need a divert socket but there is none for dnsmasq. Suricata has it though (divert-to), maybe you can use that for SNI based blocking in a firewall rule instead.