Conditional DNS forwarding

lazerbrain · November 1, 2019, 2:19pm

Is there any way to apply conditional DNS forwarding (eg. for certain web site)? I’ve tried with applying Layer 7, mangle and nat rules but with no success. The goal I want to achieve is when an user goes to the certain web site another dns address will be automatically assigned to him.

Sob · November 1, 2019, 4:59pm

If you want to redirect DNS requests to another resolver, it’s possible using L7 hack. Not exactly pretty solution, but often usable. If you post what you did, there’s a chance it can be fixed.

Although from your post I’m not sure it that’s really what you’re asking about.

lazerbrain · November 1, 2019, 5:49pm

Mangle rules:

add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - nflxvideo.net" content=nflxvideo.net dst-address=!172.16.0.0/24 \
    src-address=172.16.0.0/24
add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - netflix.com" content=netflix.com dst-address=!172.16.0.0/24 \
    src-address=172.16.0.0/24
add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - nflxext.com" content=nflxext.com dst-address=!172.16.0.0/24 \
    src-address=172.16.0.0/24
add action=add-dst-to-address-list address-list=netflix_list address-list-timeout=30m chain=forward comment="Add IP Netflix - nflximg.net" content=nflximg.net dst-address=!172.16.0.0/24 \
    src-address=172.16.0.0/24
add action=mark-connection chain=prerouting dst-address-list=netflix_list new-connection-mark=netflix.com-forward passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address-list=netflix_list new-connection-mark=netflix.com-forward passthrough=yes protocol=udp

Nat:

add action=dst-nat chain=dstnat connection-mark=netflix.com-forward to-addresses=xxx.xxx.xxx.xxx
add action=masquerade chain=srcnat connection-mark=netflix.com-forward

lazerbrain · November 1, 2019, 6:31pm

I got it!!
Layer7:

add name=netflix.com regexp="^.*(netflix|nflext|nflximg|nflxsearch|nflxso|nflxvideo).*\$"

Mangle:

add action=mark-connection chain=prerouting dst-address=!172.16.0.0/24 layer7-protocol=netflix.com new-connection-mark=netflix_conn passthrough=yes src-address=172.16.0.0/24
add action=mark-packet chain=prerouting connection-mark=netflix_conn new-packet-mark=netflix_packet passthrough=no

Nat:

add action=dst-nat chain=dstnat packet-mark=netflix_packet to-addresses=xxx.xxx.xxx.xxx
add action=masquerade chain=srcnat connection-mark=netflix.com-forward

It works like a charm!!!