Auto-update for alias from Diagnostics DNS Lookup
-
I have an alias created from the Diagnostics->DNS Lookup menu item:
example.com: 93.184.216.34I can see the alias definition in /conf/config.xml (which I'm guessing is only read at boot):
<alias> <name>example_com</name> <type>network</type> <address>93.184.216.34/32 2606:2800:220:1:248:1893:25c8:1946/128</address> <descr><![CDATA[Created from Diagnostics-> DNS Lookup]]></descr> </alias>
Suppose example.com were to change frequently and I wanted to pass connections from it to a device on the LAN.
From a shell I can determine the IP:
echo `dig example.com`| awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}'
Is there a way that I can pass the output to the active configuration to update the alias?
-
If I understand your request correctly, sounds like you simply want a FQDN Alias (fully-qualified domain name). You can create one under FIREWALL > ALIASES. Here is a link to the official documentation: https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html.
FQDN aliases are "refreshed" by the firewall once every 5 minutes. That means a process on the firewall resolves the hostname (or domain name) once every five minutes via a cron task and updates the physical IP address in the firewall rule(s) where the alias is used.
-
-
@maxbishop said in Auto-update for alias from Diagnostics DNS Lookup:
Much easier!
Thanks
One important thing to remember about FQDN aliases is they are updated at most once per 5 minutes. And if the domain you are resolving uses any kind of CDN or load balancer, it is quite possible that the IP address the firewall resolves for the domain might differ at any point in time from the IP address a client on your network may have just resolved or cached. This is especially true if the client is using a DNS server that is not the same one as the firewall is using.
So the short answer here is that if the domain name in the FQDN is a slowly-changing somewhat static IP, things will work as expected. But if you try to use a FQDN to block something like "facebook.com" or "youtube.com", don't expect it to work very well (if at all). Many of those DNS records have extremely short TTL (time-to-live) values.
-
^ exactly! rapidly changing IPs for some fqdn can be problematic at best. Or if the client is using different dns than pfsense, say doh or something you can run into mismatches with what pfsense knows for the IPs and what the client is using for IP to access the site.
While you can adjust how often pfsense resolves the alias fqdn from the default 5 minutes. Depending that still can be problematic if the client is using something different than pfsense to resolve the fqdn.
Many of those DNS records have extremely short TTL (time-to-live) values
This is trend not a fan of at all - see short ttls on many records.. Why should I query for something every 60 seconds.. Its stupid to have such short ttls unless your in the middle of changing where this fqdn is going to point.. This is not a good load balancing sort of thing like back in the days before load balancers and use of round robin dns responses - even then no need for such short ttl to load balance which servers get hit for some fqdn, etc.
I think its more of a way for these dns providers to drive more traffic to them be it charging per query or just info to glean from how often specific IP might query for something vs doing a query once that has say 2 hour ttl and not knowing if the client was using the resource for 5 minutes or 2 hours, tec.
-
@johnpoz said in Auto-update for alias from Diagnostics DNS Lookup:
Many of those DNS records have extremely short TTL (time-to-live) values
This is trend not a fan of at all - see short ttls on many records.. Why should I query for something every 60 seconds.. Its stupid to have such short ttls unless your in the middle of changing where this fqdn is going to point.. This is not a good load balancing sort of thing like back in the days before load balancers and use of round robin dns responses - even then no need for such short ttl to load balance which servers get hit for some fqdn, etc.
I think its more of a way for these dns providers to drive more traffic to them be it charging per query or just info to glean from how often specific IP might query for something vs doing a query once that has say 2 hour ttl and not knowing if the client was using the resource for 5 minutes or 2 hours, tec.
Same here - I agree. No good reason to have such short TTL values unless there is an ulterior motive like you said ... .
-
@bmeeks I have set min ttl of 3600 on my unbound.. Everything works - so its not like these sites are changing IPs they use every 5 minutes and old IP no longer works.. ;)
I would normally say do not mess with the ttls that the owners have set, but 60 seconds, 5 minutes - FU! that is insane unless you were getting ready to do a big change to another IP, etc.
I guess it does give you the ability to change IPs on the fly and nobody to notice at all - but I sure and the F do not want to be doing a query every 60 seconds because your shit might fail ;) In this day and age of load balancers and ability to ramp up processing power on your server (since its VM) and network access on the fly.. There should be little reason that I have to query for www.domain.tld every freaking 60 seconds..