Make nftables resolve fqdn on-the-fly
Go to file
2024-01-16 17:35:16 +01:00
debian andouille de typo 2023-08-29 23:50:53 +02:00
nft-dns.d First commit v0.1 2023-08-29 19:33:24 +02:00
.gitignore First commit v0.1 2023-08-29 19:33:24 +02:00
build-package.sh better readme and manual 2023-08-30 16:57:16 +02:00
entry.py add table name 2024-01-16 17:35:16 +01:00
LICENSE Initial commit 2023-08-29 17:23:17 +02:00
MANUAL.md add table name 2024-01-16 17:35:16 +01:00
nft-dns.conf add table name 2024-01-16 17:35:16 +01:00
nft-dns.py add table name 2024-01-16 17:35:16 +01:00
nft-dns.service fix build try_1 2023-08-29 19:47:56 +02:00
README.md cleaning if stopped 2023-08-30 18:05:22 +02:00
requirements.txt andouille de typo 2023-08-29 23:50:53 +02:00

nft-dns

Make the nftables resolve fqdn on-the-fly !

Back on iptables, fqdn was available into rules, but was resolved at start only. This have never been improved.

This project try to resolve this limitation. NFT-DNS start with it own configuration file, will resolve the DNS and keep the TTL, then will populate the NFT named SET.

The script will make DNS query each time the TTL reach zero, this way, your system will resolve an entries already accepted (or refused) by your firewall, even if the domain have changed its IP. The script is both IPv4 and IPv6 compatible.


Quick Start Guide

  1. Features
  2. Installation
  3. Configuration
  4. Help
  5. TODO

Features

  • FQDN support
    • *wildcard only if there are a Wildcard DNS record
  • Configuration via simple config files into a folder (allow multiple config file)
    • Config with .ini format
  • Packaged with apt
    • upgrade with APT
    • Service packaged with systemd

Requirements

To use this program you need:

  • At least Debian 12 (I code with Pydantic Model (> 5.0))
  • A NFTABLES with already prepared named SET.
    • If the set doesn't exist, the program will stop itself.
    • For testing, you can have sets you don't call into a rule
  • If your OS have systemd, the package will prepare the systemd service too.

Installation

    echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bookworm main" | sudo tee /etc/apt/sources.list.d/azlux.list
    sudo wget -O /usr/share/keyrings/azlux-archive-keyring.gpg  https://azlux.fr/repo.gpg
    sudo apt update
    sudo apt install nft-dns
    # Here you change the config
    # Then you can start and enable the service
    sudo systemctl enable nft-dns
    sudo systemctl start nft-dns

Manually

You can just clone the project, the start script is nft-dns.py. But you will have not auto-update. You will need to create your one init service. You also need to install the dependencies with pip3 or debian packages.

Configuration

You can write your own config file with the manual (available also with man nft-dns)

Read the manual for explanation of configs entries.

You can also copy the /etc/nft-dns.conf file as a example, and uncomment values (cp /etc/nft-dns.conf /etc/nft-dns.d/cutsom.conf).

Help

Command line

Use nft-dns.py --help to get the usage help.

Man page

Use man nft-dns to get the config help

TODO

  1. pcap capture (as option) to support true wildcard