How do I add hundreds of domain overrides

[Kiwifruta]

Hi.
I'm new to OPNsense, having moved from OpenWRT and Ubiquiti.

I have a list of several hundred domains that need to use custom DNS, i.e. not those configured under the System - Settings - General.

With OpenWRT and Ubiquiti I ran a script that downloaded the list of domain overrides (e.g. server=/tvnz.co.nz/8.8.8. and populated a configuration file read by dnsmasq. Can I do something similar in OPNsense?

DDGing for information about configuring OPNsense by CLI/Shell has been fruitless, so I'm wondering if the only way to configure OPNsense is via the GUI. I found the /conf/config.xml file. Is this the file to edit the configuration via the shell?
Will putting dnsmasq configuration files in /etc/dnsmasq.d dnd edit /usr/loca/etc/dnsmasq.conf to point to that directory work, or will it get overriden by /conf/config.xml?

I'd prefer not to enter hundreds of domain overrides by hand in to Services-Dnsmasq DNS-Settings-Domain Overrides, as it'll take a long time plus it's also subject to change. With the other firmware I ran the script on a cron job to provide updates.


Thanks

[siga75]

best way is probably using API, I did something for nginx, probably something similar is available for dnsmasq

root@myfw:~ # cat nginx-ban-purge
#!/bin/sh
key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
sed -n -e '/<Nginx/,/<\/Nginx>/p' /conf/config.xml | sed -n -e '/<ban uuid/,/<\/ban>/p' | awk -F'\"|<|>' -v TSTAMP=`date +%s` '/ban uuid/ {uuid=$3; getline; getline; if($3<TSTAMP-90*24*60*60) print uuid }' | while read UUID ; do curl --ssl --insecure -X POST --data "{}" -H "Content-Type: application/json" --user "$key":"$secret" https://127.0.0.1:8443/api/nginx/bans/delban/$UUID ; done

[Kiwifruta]

Thank you.
Unfortunately there isn't an API for dnsmasq, although there is for Unbound.

I have lots of CNAME entries (to map google domains to forcesafesearch.google.com) so need dnsmasq for this.

So it looks like I'd need to run dnsmasq and unbound together.
Dnsmasq to doing the CNAME records, and Unbound for external address.

Thanks for your direction.

[mimugmail]

Just edit config.xml by hand

[stefanpf]

You could simply add this Server entries
into the advanced Options field or add an extra config File e.g. with

Code: [Select]

conf-file=/usr/local/etc/dnsstuff.conf


[Kiwifruta]

Thanks for your replies @mimugmail and @stefanpf.
mimugmail, I have hundreds to do and these could change slightly at any time, and so an automatic process is much more preferable. This is a home set up.

stefanpf, I tried several times to add conf-file=/usr/local/etc/myfile.conf to the advanced options field but without success. This by far my preferred way to do it.

[Kiwifruta]

What is the syntax to edit config.xml by hand to set under dnsmasq conf-dir=/etc/dnsmasq.d?

[mimugmail]

Just add one override, grep the xml container in config.xml and add as many as you like in similar syntax

[Kiwifruta]

Just add one override, grep the xml container in config.xml and add as many as you like in similar syntax

Okay, I’ll give that a shot.


Sent from my iPhone using Tapatalk

[Kiwifruta]

[UPDATE - below did NOT work]

Found the solution
1) put an additional hosts/dnsmasq file at /etc/hosts.additional

2) In /conf/config.xml, under <dnsmasq> enter this line
<hostsdir>/etc/hosts.additional</hostsdir>

3) restart dnsmasq

[Kiwifruta]

In the end instead of using domain overrides I used a custom hosts file which I was appended to /etc/hosts

first create a back up of /etc/hosts
touch /etc/hosts.bak
cp /etc/hosts /etc/hosts.bak

then insert the current hosts file to the hosts file
cat /etc/hosts.custom >> /etc/hosts

It doesn't survive firmware upgrades, but it does survive dnsmaq restarts.

Now I need to figure out how to run the automatic checking for updates to the custom hosts file.

[franco]

Didn't Dnsmasq support multiple host files via command line arguments? You can use the advanced configuration field to configure it...


Cheers,
Franco

[Kiwifruta]

Franco, yes you are right, and that does work, thank you.

The GUI says the advanced field is about to be deprecated, so I’m looking for a method that won’t disappear when the firmware is upgraded.


Sent from my iPhone using Tapatalk

[franco]

It's deprecated for security reasons and thus only accessible for administrators, but a (safer) replacement has not yet been decided on.

Usually we favour file-based approaches to plugin-capable core capabilities which require shell access (which should only be given to administrators) or a properly built OPNsense plugin. These file-based solutions will the be picked up by the system without further GUI interaction.


Cheers,
Franco

[Kiwifruta]

You could simply add this Server entries
into the advanced Options field or add an extra config File e.g. with

Code: [Select]

conf-file=/usr/local/etc/dnsstuff.conf


I followed your approach but set up a directory and put it in /etc, so
conf-dir=/etc/dnsmasq.d
It worked perfectly, thanks.