Thanks, @tamagochi!
I changed your script a little and applied it this way:
As a result, the script, executed on a schedule, copy the resolved IP addresses of the domains and their subdomains what I need into a new list vpn1_list2 used in the second mangle rule.
It’s very fortunate that when this script runs, the addresses already in vpn1_list2 are not duplicated, but are simply skipped by the script
Also I need to have two mangle rules:
The first mangle rule will fire when an address is detected in vpn1_list1 and stop further processing. And the second will work in the case when the address of the required domain is no longer in the vpn1_list1, but still exist in vpn1_list2
Thus, resolved IP addresses will be valid longer than the TTL of a static DNS entry. I have set the timeout to 24 hours (1d), but the benefits of decreasing or increasing this period are still under consideration.
I think this method has a couple of disadvantages.
Firstly, with a large number of domains, the list of addresses stored for 24 hours (or more if you change the script) may turn out to be quite large, and it is unknown how the router will react to this. Perhaps it will be overloaded with processing long lists, Personally, I only use three-four dozen domains, so this is not a problem for me...
Also, there is still a possibility that after the timeout expires, some address may still be “in the dead zone”, and its resolve will not be requested from the router, and as a result will not be redirected to the correct route. And I think heres we can't do anything with this.
I’m also wondering if it’s possible to change the trigger for running the script in some way, so that the script is executed when a record is added to vpn1_list1? I think this would be as effective as possible, given the available capabilities.
I changed your script a little and applied it this way:
Code:
/ip firewall address-list:foreach i in=[find where list="vpn1_list1"] do={ :do { :local fwdaddress [get $i address] :local fwdcomment [get $i comment] /ip firewall address-list add list=vpn1_list2 address=$fwdaddress comment=$fwdcomment timeout="1d" } on-error={:nothing}}As a result, the script, executed on a schedule, copy the resolved IP addresses of the domains and their subdomains what I need into a new list vpn1_list2 used in the second mangle rule.
It’s very fortunate that when this script runs, the addresses already in vpn1_list2 are not duplicated, but are simply skipped by the script
Also I need to have two mangle rules:
Code:
/ip dns static add name=somedomain.com type=FWD forward-to=8.8.8.8 address-list=vpn1_list1 match-subdomain=yes/routing table add name=vpn1_mark fib/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=vpn1_list1 new-routing-mark=vpn1_mark passthrough=no/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=vpn1_list2 new-routing-mark=vpn1_mark passthrough=no/ip route add distance=1 gateway=vpn1-out routing-table=vpn1_markThe first mangle rule will fire when an address is detected in vpn1_list1 and stop further processing. And the second will work in the case when the address of the required domain is no longer in the vpn1_list1, but still exist in vpn1_list2
Thus, resolved IP addresses will be valid longer than the TTL of a static DNS entry. I have set the timeout to 24 hours (1d), but the benefits of decreasing or increasing this period are still under consideration.
I think this method has a couple of disadvantages.
Firstly, with a large number of domains, the list of addresses stored for 24 hours (or more if you change the script) may turn out to be quite large, and it is unknown how the router will react to this. Perhaps it will be overloaded with processing long lists, Personally, I only use three-four dozen domains, so this is not a problem for me...
Also, there is still a possibility that after the timeout expires, some address may still be “in the dead zone”, and its resolve will not be requested from the router, and as a result will not be redirected to the correct route. And I think heres we can't do anything with this.
I’m also wondering if it’s possible to change the trigger for running the script in some way, so that the script is executed when a record is added to vpn1_list1? I think this would be as effective as possible, given the available capabilities.
I completely agree with you, that in order to avoid all this hassle, we need just this option.It would be nice if they added the timeout option in the DNS Static menu to the address list
Statistics: Posted by taravasya — Tue Feb 27, 2024 11:03 pm