121.40.116.146
47.97.100.86
101.37.158.36
112.124.32.90
47.97.63.217
118.31.47.189
47.96.19.201
47.99.35.223
47.97.126.85
121.196.57.164
116.62.101.24
47.99.43.128
47.111.183.245
47.99.212.135
47.111.111.107
114.215.172.213
47.98.205.71
101.37.156.187
121.196.50.151
118.31.34.42
47.96.21.73
121.196.53.5
47.98.207.35
47.98.97.22
47.110.241.240
47.96.76.91
47.97.109.4
47.114.98.5
114.215.199.192
118.31.36.137
114.215.189.130
47.99.61.182
47.114.172.135
47.98.140.171
121.196.53.108
47.110.124.46
47.110.217.173
101.37.148.156
47.96.127.167
47.98.97.159
121.40.59.15
121.40.127.215
112.124.6.10
47.110.148.62
47.110.54.142
118.31.13.204
47.99.218.87
47.114.97.87
101.37.116.112
47.111.255.165
47.97.111.19
47.96.36.44
47.97.156.111
121.40.137.32
121.41.74.206
首先需要將client dns的流量劫持,分三種情況:
client dns指定linux網關,相當於INPUT訪問linux;
client dns指定223.5.5.5等public dns,此時是forward訪問外部的dns服務(udp 53以及tcp 53服務);
client dns指定任意不提供dns服務的ip(比如24.5.23.3),此時也是forward外部的dns服務。
針對后面的2種情況,需要iptables來進行強行劫持到本機的INPUT上dns服務(由dnsmasq提供dns服務)iptables -t nat -I PREROUTING -s xx.xx.xx.xx -p tcp -m state --state NEW --dport 53 -j DNAT --to linux網關ip:53。iptables -t nat -I PREROUTING -s xx.xx.xx.xx -p udp --dport 53 -j DNAT --to linux網關ip:53。 實際測試中在client端使用了vpnclient撥號導致在linux上無法利用dnsmasq ipset特性捕獲到向日葵的重要域名的相關ip地址,這里記錄下。