[dsheets]

I contributed improved ipset support to this project. As far as I know, it’s one of the few off-the-shelf DNS servers that can insert result records into Linux ipsets to enable domain-based firewall policy. I run it on OpenWRT and use the ipset support to open the default drop firewall from my “smart” projector on my IoT subnet to NetFlix and YouTube. It sets the ipset entry expiry to the DNS TTL. Now, the only way for the machine to connect to the internet is to resolve a whitelisted domain and it can only access while the record is fresh. I haven’t encountered any issues so far. I take it that some Chinese users use this same functionality to selectively VPN domains to evade GFW.