Request: Update alias during a client DNS query
-
Problem:
If I create a hostname-alias for a site that has lots of IPs, where the site's DNS server only returns a subset of IPs with each query, then my alias will not get all of the IPs for the site. Then, if a client on my network queries for that same hostname, it may get a different set of IPs. This causes a problem when I am trying to whitelist a site by hostname-alias.Proposed Solution:
- Client queries pfSense DNS server for google.com, and pfSense forwards that out to Google's DNS servers
- Google's DNS servers return 2.2.2.2 and 3.3.3.3
- pfSense sees those IPs and also sees that it has an alias for google.com, but the alias only knows about 1.1.1.1 and 2.2.2.2
- pfSense merges in the 3.3.3.3 address to the alias, so the alias has complete information (all 3 IPs)
- pfSense will then finish responding to the DNS request to the client, sending them 2.2.2.2 and 3.3.3.3.
This way, the alias stays up to date and will be able to whitelist all IPs that a client might try to use. Maybe once a week, it could prune old IPs from the alias.
In my real case, I am trying to whitelist hostnames for the Private Internet Access VPN servers so that certain internal hosts can only get out through a VPN, so it's important that my LAN hosts use the IPs that pfSense is whitelisting or else they will fail to connect. Is there a better way to do this?
Thanks!
-
That may sound like a simple/good idea but it is nowhere near possible. Your DNS queries are resolved by either unbound or dnsmasq, the host aliases are maintained by filterdns. There isn't any way for unbound or dnsmasq to know that a hostname is used in an alias or to signal filterdns of an update, or modify pf directly.
pfBlocker might get you closer to where you want to go there, with something like AS-based aliases or some of its built-in lists.
-
Understood, thank you anyway.
