Alias hostname expansion containing CNAME records

GPz1100

Alias for hostname outlook.office365.com resolves to several ip address + a cname record ooc-g2.tm-4.office.com in the pfsense dns lookup tool.

The cname record then resolves to some more ip's and more cname records (outlook.ms-acdc.office.com).

This nested resolution continues for some more iterations.

When I create an alias with the original hostname and look at the ip's resolved in table lookup, it doesn't contain ip's of the cname resolutions.

How should the alias be configured so that all cname entries are fully resolved? I understand the nested hostnames can be added to the alias list, but those are dynamic and could possibly change in the future.

stephenw10

I do that by adding this to pfBlocker: https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

GPz1100

@stephenw10 said in Alias hostname expansion containing CNAME records:

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

That's brilliant! Does yahoo publish such a list too?

My use case is to use policy based routing to use specific vpn's for respective imap servers access from the same client.

johnpoz

@GPz1100 said in Alias hostname expansion containing CNAME records:

When I create an alias with the original hostname and look at the ip's resolved in table lookup, it doesn't contain ip's of the cname resolutions.

why would it?

;; ANSWER SECTION:
outlook.office365.com.  3504    IN      CNAME   ooc-g2.tm-4.office.com.
ooc-g2.tm-4.office.com. 1378    IN      CNAME   outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com. 1378 IN     CNAME   MDW-efz.ms-acdc.office.com.
MDW-efz.ms-acdc.office.com. 3504 IN     A       52.96.191.2
MDW-efz.ms-acdc.office.com. 3504 IN     A       52.96.73.50
MDW-efz.ms-acdc.office.com. 3504 IN     A       52.96.79.50
MDW-efz.ms-acdc.office.com. 3504 IN     A       52.96.79.146

you mean the 4 IPs the last cname in the change are not listed? Those "cnames" don't actually resolve to an IP - a cname points to fqdn.

There can be many more IPs than just the 4 listed.. But the intermediate cnames themselves would not actually resolve to an IP.

But Steve has the proper solution for things that have lists of IPs that need to be allowed.. They should publish a list of IPs in a list that is dynamic that you can load.

Example I would point out is the IPs plex might use to check if your server is open for remote access - they publish this list

https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

other services like uptime robot, hetrixtools - etc.. that can be used to monitor if your service is up.. Also publish lists their checks will come from
https://uptimerobot.com/inc/files/ips/IPv4.txt
https://hetrixtools.com/resources/uptime-monitor-only-ips.txt

Pfblocker is great tool for putting such lists into aliases.

What exactly are you wanting to do with yahoo IPs - are you wanting to allow specific services to talk to you, or for you to talk to them? Normally you can find such lists googling for your service and say like firewall rules or IPs, etc.

Another option is allowing or blocking via the asn their service is on that you want to allow or deny - just find an IP of that fqdn, and then search what ASN that IP belongs to - and then you can easy add that asn or multiples to an alias with pfblocker.

GPz1100

@johnpoz said in Alias hostname expansion containing CNAME records:

What exactly are you wanting to do with yahoo IPs - are you wanting to allow specific services to talk to you, or for you to talk to them? Normally you can find such lists googling for your service and say like firewall rules or IPs, etc.

My use case is to use policy based routing with specific vpn's for respective imap servers accessed from the same client.

IE use vpn A for yahoo, vpn B for microsoft, vpn C for gmail.