Skip to content

pornography-protection/Linux-Filter-Dnsmasq-Regex

Repository files navigation

dnsmasq-regex

fork of: https://github.com/lixingcong/dnsmasq-regex

  1. Install normal dnsmasq, make sure it works (follow local setup instructions in firewall/dnsmasq-walled-garden/Readme.md)

  2. Create a build directory: ./00_TEMP_BUILD_DIR/ make a copy of all files in it.

  3. Download dnsmasq v2.90 (https://thekelleys.org.uk/dnsmasq/) and extract it into: ./00_TEMP_BUILD_DIR/dnsmasq

  4. Done: Edit ./00_TEMP_BUILD_DIR/Makefile, change:

DNSMASQ_COPTS="-DHAVE_REGEX -DHAVE_REGEX_IPSET" To:

#DNSMASQ_COPTS="-DHAVE_REGEX -DHAVE_REGEX_IPSET"
DNSMASQ_COPTS="-DHAVE_REGEX"
  1. We don't want to make the project yet, we want to apply the regex patches only (from repo https://github.com/lixingcong/dnsmasq-regex).

In the same Makefile, disable building by commenting the two building lines cd dnsmasq && $(MAKE) COPTS=$(DNSMASQ_COPTS)

  1. Run make inside ./00_TEMP_BUILD_DIR/. This will apply the patches.

  2. If you compile it now and run it, you will get the error:

Job for dnsmasq.service failed because the control process exited with error code.
See "systemctl status dnsmasq.service" and "journalctl -xeu dnsmasq.service" for details.

journalctl -xeu dnsmasq.service produces Failed to start dnsmasq - A lightweight DHCP and caching DNS server.

journalctl -f log shows: dnsmasq: failed to bind DHCP server socket: Permission denied.

To fix it, you need to enable dbus.

  1. Enable dbus: Edit ./00_TEMP_BUILD_DIR/dnsmasq/src/config.h uncomment the line /* #define HAVE_DBUS */

X - NO LONGER REQUIRED: On ubuntu, you need to sudo apt install nettle-dev and uncomment /* #define HAVE_DNSSEC */

Update: Uncomment also the following two lines:

#define HAVE_REGEX
#define HAVE_REGEX_IPSET
  1. Open ./00_TEMP_BUILD_DIR/Makefile, uncomment the two lines we commented earlier, then comment the following line to disable applying patches (this is becaues the patches won't be applied if the config.h file is modified).

@patch -p 1 -d dnsmasq < $^ && touch $@

  1. Run make inside ./00_TEMP_BUILD_DIR/. This will build dnsmasq.

  2. To install it: We don't want to build it again, so edit ./00_TEMP_BUILD_DIR/dnsmasq/Makefile and change: install : all install-common To:

#install : all install-common
install : install-common

Then run sudo make install inside ./00_TEMP_BUILD_DIR/dnsmasq/

  1. Either: You will need to modify the service path:

sudo vim /usr/lib/systemd/system/dnsmasq.service

from /usr/bin/dnsmasq to /usr/local/sbin/dnsmasq then run systemctl daemon-reload.

Or: type which dnsmasq, see where it is installed, move it to dnsmasq_old and replace it by the new one.

  1. Run systemctl restart dnsmasq Then /usr/local/sbin/dnsmasq --version You should see it saying regex

  2. To make sure which dnsmasq is running, run whereis dnsmasq or which dnsmasq

// Solve error on ubuntu: If running the executable gives libpcre.so.1 is not found, run sudo apt-cache search pcre and install needed library (not sure which one, but one of them works)

Troubleshoot:

ldconfig -p | grep libpcre.so.1 sudo find / -name libpcre.so


Original README.md:

Dnsmasq with regex support

Lastest version: v2.90

patches:

Inspired by these repos:

Original regex patch for dnsmasq 2.63

Offical dnsmasq:

Compile

For Debian/Ubuntu:

# Install the dependencies
sudo apt install -y libpcre3-dev libnftables-dev pkg-config

# Clone the repo
git clone https://github.com/lixingcong/dnsmasq-regex
cd dnsmasq-regex

# update the sub-module 'dnsmasq' to latest version
# only update when a newer version is released
bash ./update_submodule.sh

# build it
make

# Run the binary, check if the compile option contains "regex(+ipset,nftset)"
./dnsmasq/src/dnsmasq --version

Tips: If you do not need the patch of ipset/nftables, just edit the file "Makefile" and build from source again.

Change this line

DNSMASQ_COPTS="-DHAVE_REGEX -DHAVE_REGEX_IPSET"

to

DNSMASQ_COPTS="-DHAVE_REGEX"

Config file example

You could write regex line starts with ':' and ends with ':'

server=114.114.114.114
server=/google.com/8.8.8.8
server=/:myvpn[0-9]*\.company\.com:/1.1.1.1
server=/:a[0-9]\.yyy\.com:/#
address=/:a[0-9]\.xxx\.com:/127.0.0.1
ipset=/:.*youtube.*:/test
nftset=/:.*\.google.co.*:/ip#dnsmasq-table#google-ipset

The config above will:

  • set default upstream server to 114.114.114.114
  • match normal domain google.com then forward DNS queries to 8.8.8.8
  • match domain myvpn[0-9]*\.company\.com then forward DNS queries to 1.1.1.1
  • match domain a[0-9]\.yyy\.com then forward DNS queries 114.114.114.114 normally(default upstream server)
  • match domain a[0-9]\.xxx\.com then return DNS record of localhost(to block ads?)
  • add .*youtube.* query answers to ipset test
  • add .*\.google.co.* query answers to nftables set, equivalent to nft add element ip dnsmasq-table google-ipset { 172.217.161.74 }

Here is a example config file: dnsmasq_regex_example.conf

Tips:

  • A simple script to generate domains configurations: my-gfwlist

  • The regex line [a-z]*gle\.com will match both google.com and google.com.hk. Use anchor ^ and $ to produce a more precise match.

Notes for version >= v2.86

Simon, the author of Dnsmasq, has rewritten the function to shorten the lookup time for queries. I have to rewrite the patch too. So the domain match function was changed.

If you upgrade from older version(2.85 or older), considering modify your config file. Maybe just simply move lines up and down.😉

The regex lines will generate a linkedlist to match(from top to bottom). If the domain matched both regex servers, DNS query will be forwarded the one which appears first.

Consider the config file below, the domain wx.qq.com will be forwarded to upstream 1.1.1.1, not 8.8.8.8

server=/:\.qq\.com:/1.1.1.1
server=/:\.qq\.com:/8.8.8.8

If the domain matched normal and regex servers, DNS query will be forwarded to the normal one.

Consider the config file below, the domain wx.qq.com will be forwarded to upstream 1.1.1.1, neither 8.8.8.8 nor 1.2.4.8

server=/:w\w?\.qq\.com:/1.2.4.8
server=/qq.com/1.1.1.1
server=/:\.qq\.com:/8.8.8.8

OpenWrt/LEDE package

Please check this page: dnsmasq-regex-openwrt

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published