Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [RESOLVED] FQDN alias not working / filterdns.conf does not exist

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mkcharlie
      last edited by

      In auth0 multiple 'domains' can be created, and depending on the domain the URL becomes <domain>.eu.auth0.com.

      I can see the rule with the alias in /tmp/rules.debug. That rule has the correct variable in it ('auth0'). Rules.debug also shows 'persist' als table contents. I understood that that is the normal situation for a FQDN alias. I then wanted to debug the content of the FQDN alias, and read on the forum that I should find it in /var/etc/filterdns.conf.

      During my tests yesterday, the domain always resolved to a set of 2 up addresses. This was over a timespan of 2 hours in which I restarted pfsense a couple of times to be sure.

      Is a filterdns.conf file created and is filterdns running on your box?

      Extra information:
      Output of cat /var/etc/rules.debug | grep auth0

      table <auth0>persist
      auth0 = "<auth0>"
      pass  in  quick  on $ELK inet proto tcp  from any to $auth0 port 443 tracker 1502133288 flags S/SA keep state  label "USER_RULE: Auth0 server access"</auth0></auth0> 
      

      Screenshot of Diagnostics => DNS lookup

      http://imgur.com/a/JPXbw

      And an output of the firewall log entry that the traffic is blocked:

      http://imgur.com/a/3dwmV
      Interface 'ELK' is linked to igb2, which has static IP addresses configured in the 192.168.2.0/24 network. The box 192.168.2.2 has static IP configured.

      It is worth noting that this screenshot is from now, and the IP addresses are still the same as yesterday.
      I added imgur links both as img as well as hyperlinks, because I seem to do something wrong with the img tags.</domain>

      enabled services:

      • snort
      • pfblockerNG
      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        OK show us the alias.

        Show us Diagnostics > Tables, auth0.

        You might as well just stop hiding the hostname since you showed the IP addresses. It just makes it so we can't look at it from our chairs.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M Offline
          mkcharlie
          last edited by

          Alias:
          http://imgur.com/a/odc5f

          Table for auth0 is empty…

          EDIT: just tried exactly the same with an ACME url (acme-v01.api.letsencrypt.org). Same issue persists. So there must be something that I'm doing wrong.

          enabled services:

          • snort
          • pfblockerNG
          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            did you validate pfsense can actually resolve the FQDN you put in?

            that example you used bounces to 2 cnames

            ;; QUESTION SECTION:
            ;acme-v01.api.letsencrypt.org.  IN      A

            ;; ANSWER SECTION:
            acme-v01.api.letsencrypt.org. 7200 IN  CNAME  api.letsencrypt.org.edgekey.net.
            api.letsencrypt.org.edgekey.net. 21600 IN CNAME e981.dscb.akamaiedge.net.
            e981.dscb.akamaiedge.net. 3600  IN      A      23.197.31.200

            I just duplicated your test fqdn in an alias.  Validated pfsense can resolve, created the alias, then validated they are listed in the table for my alias (testfqdn)

            Now I am running 2.4 beta - but the steps I posted in the screenshot are exactly the same way you would validate a fqdn you placed in an alias.  Validate it resolves.. I would also check what the TTL of the records(s) are.. Then validate it shows up in your table.  But yeah if it doesn't show up in the table then not going to be of much use in a firewall rule.

            Your not actually trying to use <domain>are you?  I just put in some gibberish and it resolves

            ;; QUESTION SECTION:
            ;blahslasljdfsldjflsjfds.eu.auth0.com. IN A

            ;; ANSWER SECTION:
            blahslasljdfsldjflsjfds.eu.auth0.com. 3600 IN A 54.93.108.42
            blahslasljdfsldjflsjfds.eu.auth0.com. 3600 IN A 52.59.97.214

            ;; AUTHORITY SECTION:
            eu.auth0.com.          91145  IN      NS      ns-1429.awsdns-50.org.
            eu.auth0.com.          91145  IN      NS      ns-1665.awsdns-16.co.uk.
            eu.auth0.com.          91145  IN      NS      ns-53.awsdns-06.com.
            eu.auth0.com.          91145  IN      NS      ns-770.awsdns-32.net.

            fqdnalias.png
            fqdnalias.png_thumb</domain>

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M Offline
              mkcharlie
              last edited by

              Hmm, well thanks for trying. Those entries are exactly the same, and I just tested that the hostname can be resolved in Diagnostics\DNS Lookup.
              And no, I'm not using <domain>;).

              Other ideas?

              I have the feeling that my FW is acting a bit strange. I was having another issue with Squid for a couple of days already, which was suddenly resolved a hour ago. Anyway, I don't believe in black magic so there must be something wrong with my config.

              Settings:

              pfsenseAcmeDNS.PNG
              pfsenseAcmeDNS.PNG_thumb
              pfsenseAcmeAlias.PNG
              pfsenseAcmeAlias.PNG_thumb
              pfsenseAcmeFW.PNG
              pfsenseAcmeFW.PNG_thumb
              pfsenseAcmeTable.PNG
              pfsenseAcmeTable.PNG_thumb</domain>

              enabled services:

              • snort
              • pfblockerNG
              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Yeah you have something broken if your table is not filling in.

                But why do you have so may dns listed?  Pfsense out of the box would use the resolver, and the only dns listed would/should be 127.0.0.1

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M Offline
                  mkcharlie
                  last edited by

                  I have no idea about the DNS services. Maybe I added one myself. But the other ones appear by default. Where can I remove them? (in general setup there is only one listed, but indeed in the screenshot there are more).

                  Edit: i removed the other dns servers, so only 127.0.0.1 present now.

                  Anyway: problem is persisting.

                  enabled services:

                  • snort
                  • pfblockerNG
                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    mkcharlie
                    last edited by

                    I think I figured it out.
                    I had configured a shellcmd for filebeat. However it seems there is a known issue with shellcmd blocking subsequent processes to start up.

                    I removed shellcmd, added a new alias, added it to a FW rule, and everything is working smoothly. The fact that my PFSense box seemed to operate normally (with shellcmd), is probably because shellcmd only started the filebeat process at the end of the startup. However, all processes that had to start later (such as filterdns, which has to start after hitting the 'save' button on the alias page) couldn't, as filebeat was still blocking.

                    enabled services:

                    • snort
                    • pfblockerNG
                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Custom junk once again.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        mkcharlie
                        last edited by

                        Thanks for that constructive final word. If everyone would use the default installation, this forum would not be required.

                        enabled services:

                        • snort
                        • pfblockerNG
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.