How do I add hundreds of domain overrides

Started by Kiwifruta, February 27, 2020, 11:29:03 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 27, 2020, 11:29:03 AM
Hi.
I'm new to OPNsense, having moved from OpenWRT and Ubiquiti.

I have a list of several hundred domains that need to use custom DNS, i.e. not those configured under the System - Settings - General.

With OpenWRT and Ubiquiti I ran a script that downloaded the list of domain overrides (e.g. server=/tvnz.co.nz/8.8.8.8) and populated a configuration file read by dnsmasq. Can I do something similar in OPNsense?

DDGing for information about configuring OPNsense by CLI/Shell has been fruitless, so I'm wondering if the only way to configure OPNsense is via the GUI. I found the /conf/config.xml file. Is this the file to edit the configuration via the shell?
Will putting dnsmasq configuration files in /etc/dnsmasq.d dnd edit /usr/loca/etc/dnsmasq.conf to point to that directory work, or will it get overriden by /conf/config.xml?

I'd prefer not to enter hundreds of domain overrides by hand in to Services-Dnsmasq DNS-Settings-Domain Overrides, as it'll take a long time plus it's also subject to change. With the other firmware I ran the script on a cron job to provide updates.


Thanks

February 27, 2020, 03:35:16 PM #1
best way is probably using API, I did something for nginx, probably something similar is available for dnsmasq

root@myfw:~ # cat nginx-ban-purge
#!/bin/sh
key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
secret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
sed -n -e '/<Nginx/,/<\/Nginx>/p' /conf/config.xml | sed -n -e '/<ban uuid/,/<\/ban>/p' | awk -F'\"|<|>' -v TSTAMP=`date +%s` '/ban uuid/ {uuid=$3; getline; getline; if($3<TSTAMP-90*24*60*60) print uuid }' | while read UUID ; do curl --ssl --insecure -X POST --data "{}" -H "Content-Type: application/json" --user "$key":"$secret" https://127.0.0.1:8443/api/nginx/bans/delban/$UUID ; done
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
February 27, 2020, 07:36:22 PM #2
Thank you.
Unfortunately there isn't an API for dnsmasq, although there is for Unbound.

I have lots of CNAME entries (to map google domains to forcesafesearch.google.com) so need dnsmasq for this.

So it looks like I'd need to run dnsmasq and unbound together.
Dnsmasq to doing the CNAME records, and Unbound for external address.

Thanks for your direction.
February 27, 2020, 08:04:07 PM #3
Just edit config.xml by hand
February 27, 2020, 08:56:33 PM #4 Last Edit: February 27, 2020, 09:00:47 PM by stefanpf
You could simply add this Server entries
into the advanced Options field or add an extra config File e.g. with
Code Select
conf-file=/usr/local/etc/dnsstuff.conf
March 02, 2020, 07:32:44 AM #5
Thanks for your replies @mimugmail and @stefanpf.
mimugmail, I have hundreds to do and these could change slightly at any time, and so an automatic process is much more preferable. This is a home set up.

stefanpf, I tried several times to add conf-file=/usr/local/etc/myfile.conf to the advanced options field but without success. This by far my preferred way to do it.


March 02, 2020, 10:41:11 AM #6 Last Edit: March 02, 2020, 10:56:28 AM by Kiwifruta
What is the syntax to edit config.xml by hand to set under dnsmasq conf-dir=/etc/dnsmasq.d?
March 02, 2020, 11:14:36 AM #7
Just add one override, grep the xml container in config.xml and add as many as you like in similar syntax
March 03, 2020, 08:22:58 AM #8
Quote from: mimugmail on March 02, 2020, 11:14:36 AM
Just add one override, grep the xml container in config.xml and add as many as you like in similar syntax
Okay, I'll give that a shot.


Sent from my iPhone using Tapatalk
March 08, 2020, 03:53:45 AM #9 Last Edit: March 08, 2020, 04:21:56 AM by Kiwifruta
[UPDATE - below did NOT work]

Found the solution
1) put an additional hosts/dnsmasq file at /etc/hosts.additional

2) In /conf/config.xml, under <dnsmasq> enter this line
<hostsdir>/etc/hosts.additional</hostsdir>

3) restart dnsmasq
March 08, 2020, 04:40:13 AM #10
In the end instead of using domain overrides I used a custom hosts file which I was appended to /etc/hosts

first create a back up of /etc/hosts
touch /etc/hosts.bak
cp /etc/hosts /etc/hosts.bak

then insert the current hosts file to the hosts file
cat /etc/hosts.custom >> /etc/hosts

It doesn't survive firmware upgrades, but it does survive dnsmaq restarts.

Now I need to figure out how to run the automatic checking for updates to the custom hosts file.

March 08, 2020, 08:40:03 AM #11
Didn't Dnsmasq support multiple host files via command line arguments? You can use the advanced configuration field to configure it...


Cheers,
Franco
March 08, 2020, 09:45:21 AM #12
Franco, yes you are right, and that does work, thank you.

The GUI says the advanced field is about to be deprecated, so I'm looking for a method that won't disappear when the firmware is upgraded.


Sent from my iPhone using Tapatalk
March 08, 2020, 01:07:29 PM #13
It's deprecated for security reasons and thus only accessible for administrators, but a (safer) replacement has not yet been decided on.

Usually we favour file-based approaches to plugin-capable core capabilities which require shell access (which should only be given to administrators) or a properly built OPNsense plugin. These file-based solutions will the be picked up by the system without further GUI interaction.


Cheers,
Franco
March 10, 2020, 09:18:37 AM #14
Quote from: stefanpf on February 27, 2020, 08:56:33 PM
You could simply add this Server entries
into the advanced Options field or add an extra config File e.g. with
Code Select
conf-file=/usr/local/etc/dnsstuff.conf

I followed your approach but set up a directory and put it in /etc, so
conf-dir=/etc/dnsmasq.d
It worked perfectly, thanks.
Print
Go Up Pages1 2
User actions