DNS based routing concept

Thoughts and practice on how to route certain service traffic with unbound python module.

Motivation

There was a need to route/tunnel some traffic on per-service basis. I’ve got ASNs and network IPs for building routing lists, but something was missing:

  • IP lists are subject to maintain,
  • some services are declared by DNS names.

// Here could go an intro to the Dynamic routing, which could also be a basis for the solution, even maybe for Home lab or SMB, but finally…

Being NLnet Labs and Python fan I tried to make use of unbound pythonmod. The main idea is to ask the resolver to add or alter routes on every DNS reply. We assume here DNS resolver is also a gateway, so routes are added locally, but you see, that is not a restriction for the concept.

Dev environment

As the docs and sample config say, use --with-pythonmodule to configure before compiling.

Building DEBs from source also will do.

sudo apt install build-essential
sudo apt build-dep unbound
apt source --build unbound

Then with the following minimal configuration:

  • some necessaries for chrooting:

    (chrooted) /usr/lib/python3.8

  • some debian/tmp/etc/unbound/unbound.conf options:

    ...
    server:
        interface: 127.0.0.1@5003
        chroot: "/_WHERE_UNBOUND_BUILT_ABOVE_/unbound-1.9.4/debian/tmp"
        username: ""
        use-syslog: no
        module-config: "python iterator"
    ...
    python:
        python-script: "pythonmod/ubmodule-addroute.py"
    ...

you will get unbound playground runnable with

cd _WHERE_UNBOUND_BUILT_ABOVE_/unbound-1.9.4
sudo debian/tmp/usr/sbin/unbound -pdc debian/tmp/etc/unbound/unbound.conf
    ##  -p  no pidfile
    ##  -d  no daemons (foreground mode)
    ##  -c  config file explicitly specified
dig @127.0.0.1 -p 5003 linkedin.com # to check whether it works

The unbound python module

The subj itself is published as a GitHub Gist:

https://gist.github.com/vpag/46473146849e1cf28ea1d1b1d5f8029a

Please treat it as a template. This module does not alter any system parameters, it just causes unbound to display messages. Feel free to use, experiment, improve.

Src | Discussion

https://gist.github.com/vpag/46473146849e1cf28ea1d1b1d5f8029a

Reuse