Motivation
There was a need to route/tunnel some traffic on per-service basis. I’ve got ASNs and network IPs for building routing lists, but something was missing:
- IP lists are subject to maintain,
- some services are declared by DNS names.
// Here could go an intro to the Dynamic routing, which could also be a basis for the solution, even maybe for Home lab or SMB, but finally…
Being NLnet Labs and Python fan I tried to make use of unbound pythonmod. The main idea is to ask the resolver to add or alter routes on every DNS reply. We assume here DNS resolver is also a gateway, so routes are added locally, but you see, that is not a restriction for the concept.
Dev environment
As the docs and sample config say, use --with-pythonmodule
to configure before compiling.
Building DEBs from source also will do.
sudo apt install build-essential
sudo apt build-dep unbound
apt source --build unbound
Then with the following minimal configuration:
some necessaries for chrooting:
(chrooted)
/usr/lib/python3.8
some
debian/tmp/etc/unbound/unbound.conf
options:... server: interface: 127.0.0.1@5003 chroot: "/_WHERE_UNBOUND_BUILT_ABOVE_/unbound-1.9.4/debian/tmp" username: "" use-syslog: no module-config: "python iterator" ... python: python-script: "pythonmod/ubmodule-addroute.py" ...
you will get unbound playground runnable with
cd _WHERE_UNBOUND_BUILT_ABOVE_/unbound-1.9.4
sudo debian/tmp/usr/sbin/unbound -pdc debian/tmp/etc/unbound/unbound.conf
## -p no pidfile
## -d no daemons (foreground mode)
## -c config file explicitly specified
dig @127.0.0.1 -p 5003 linkedin.com # to check whether it works
The unbound python module
The subj itself is published as a GitHub Gist:
https://gist.github.com/vpag/46473146849e1cf28ea1d1b1d5f8029a
Please treat it as a template. This module does not alter any system parameters, it just causes unbound to display messages. Feel free to use, experiment, improve.
Src | Discussion
https://gist.github.com/vpag/46473146849e1cf28ea1d1b1d5f8029a