🎭Split Tunnel using DNSMASQ & nftables🗜️

Ronald BartelsRonald Bartels
2 min read

The first step is to compile DNSMASQ v2.89. This is the one with nftset support.

The prerequisites that need to be installed are build-essentials, libdbus-1-dev, libnetfilter-conntrack-dev, idn, libidn11-dev, nettle-dev, gettext, and libnftables-dev.

Download https://thekelleys.org.uk/dnsmasq/dnsmasq-2.89.tar.gz and extract the files.

Modify src/config.h to comment:

/* #define HAVE_IPSET */

Modify src/config.h to uncomment:

#define HAVE_DBUS

#define HAVE_IDN
#define HAVE_CONNTRACK
#define HAVE_DNSSEC

#define HAVE_NFTSET

Use make make all-i18n to compile the binary.

Move the dnsmasq binary from the src directory to /usr/lib/bonding/bin

Test the version by executing sudo /usr/lib/bonding/bin/dnsmasq -v

Dnsmasq version 2.89  Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

On the edge you need to add the following:

sudo nft add set inet filter bypasslist { type ipv4_addr; }
sudo nft insert rule inet filter classification ip daddr @bypasslist meta mark set 0x000000f1 return comment "bypass"

The DNSMASQ custom file must include (as examples):

# youtube
nftset=/youtube.com/googlevideo.com/ytimg.com/4#inet#filter#bypasslist
# facebook
nftset=/fb.com/facebook.com/fbcdn.com/4#inet#filter#bypasslist
# South Africa
nftset=/za/4#inet#filter#bypasslist
# Windows updates
nftset=/windowsupdate.microsoft.com/update.microsoft.com/download.windowsupdate.com/download.microsoft.com/windowsupdate.com/4#inet#filter#bypasslist
# apple updates
# nftset=/itunes.apple.com/appldnld.apple.com/swscan.apple.com/swcdn.apple.com/swdownload.apple.com/4#inet#filter#bypasslist

This results in youtube or any other of the examples being on tunnel bypass using the domain names.

Check that the rules are working by using sudo nft list ruleset. The bypasslist should have IPs and there should be matches on the classification.

0
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Split TunnellingdnsmasqSDWAN

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa