DNS adblock for IPv6 #14

8 years ago · 1dcf0e3e27
parent 91ba299a59
commit 1dcf0e3e27
4 changed files with 31 additions and 2 deletions
--- a/features.yml
+++ b/features.yml
@ -67,7 +67,21 @@
      to_destination: 172.16.0.1:53
    notify:
    - save iptables
-    when: service_dns is defined and service_dns == "Y"
+    when: service_dns is defined and service_dns == "Y" # TODO: service_dns is not defined, because the variable in vars_prompt
+    
+  - name: Forward all DNS requests to the local resolver
+    iptables: 
+      table: nat
+      chain: PREROUTING
+      protocol: udp
+      destination_port: 53
+      source: "{{ vpn_network_ipv6 }}"
+      jump: DNAT
+      to_destination: fcaa::1:53
+      ip_version: ipv6
+    notify:
+    - save iptables
+    when: service_dns is defined and service_dns == "Y"    
    
  - name: Dnsmasq enabled and started
    service: name=dnsmasq state=started enabled=yes
--- a/templates/10-loopback-services.cfg.j2
+++ b/templates/10-loopback-services.cfg.j2
@ -2,3 +2,8 @@ auto lo:100
 iface lo:100 inet static
 	address 172.16.0.1
 	netmask 255.255.255.255
+
+iface lo:100 inet6 static
+        address FCAA::1
+        netmask 64
+        autoconf 0
--- a/templates/adblock.sh
+++ b/templates/adblock.sh
@ -3,6 +3,8 @@

 # Redirect endpoint
 ENDPOINT_IP4="0.0.0.0"
+ENDPOINT_IP6="::"
+IPV6="Y"

 #Delete the old block.hosts to make room for the updates
 rm -f /etc/block.hosts
@ -35,6 +37,14 @@ else
    cat /tmp/block.build.before > /etc/block.hosts
 fi

+if [ "$IPV6" = "Y" ]
+then
+    safe_pattern=$(printf '%s\n' "$ENDPOINT_IP4" | sed 's/[[\.*^$(){}?+|/]/\\&/g')
+    safe_addition=$(printf '%s\n' "$ENDPOINT_IP6" | sed 's/[\&/]/\\&/g')
+    echo 'Adding ipv6 support...'
+    sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /etc/block.hosts
+fi
+
 service dnsmasq restart

 exit 0
--- a/templates/dnsmasq.conf.j2
+++ b/templates/dnsmasq.conf.j2
@ -110,7 +110,7 @@ group=nogroup
 #except-interface=
 # Or which to listen on by address (remember to include 127.0.0.1 if
 # you use this.)
-listen-address=172.16.0.1,127.0.0.1
+listen-address=172.16.0.1,127.0.0.1,FCAA::1
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to
 # disable DHCP and TFTP on it.