xref: /freebsd/contrib/unbound/doc/README.ipset.md (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1## Created a module to support the ipset that could add the domain's ip to a list easily.
2
3### Purposes:
4* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
5So, I set up a transparent proxy to proxy the traffic which has been blocked only.
6At the final step, I need to install a dns service which would work with ipset well to launch the system.
7I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
8```
9# unbound.conf
10server:
11  ...
12  local-zone: "facebook.com" ipset
13  local-zone: "twitter.com" ipset
14  local-zone: "instagram.com" ipset
15  more social website
16
17ipset:
18  name-v4: "gfwlist"
19```
20```
21# iptables
22iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
23iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
24```
25
26* This patch could work with iptables rules to batch block the IPs.
27```
28# unbound.conf
29server:
30  ...
31  local-zone: "facebook.com" ipset
32  local-zone: "twitter.com" ipset
33  local-zone: "instagram.com" ipset
34  more social website
35
36ipset:
37  name-v4: "blacklist"
38  name-v6: "blacklist6"
39```
40```
41# iptables
42iptables -A INPUT -m set --set blacklist src -j DROP
43ip6tables -A INPUT -m set --set blacklist6 src -j DROP
44```
45
46### Notes:
47* To enable this module the root privileges is required.
48* Please create a set with ipset command first. eg. **ipset -N blacklist iphash**
49
50### How to use:
51```
52./configure --enable-ipset
53make && make install
54```
55
56### Configuration:
57```
58# unbound.conf
59server:
60  ...
61  local-zone: "example.com" ipset
62
63ipset:
64  name-v4: "blacklist"
65```
66