Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selective Routing with FQDNs - Subdomains Matter?

    Firewalling
    2
    3
    413
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      ProfessorManhattan
      last edited by

      Hey, I'm selectively routing my traffic through a VPN. I have an alias with a bunch of domain names that bypass the VPN. My question is: Do I have to specify the exact domain or can I just provide the root domain?

      For example, can I add arizona.edu to the selective routing alias if I want to match mirror.arizona.edu?

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @ProfessorManhattan
        last edited by bmeeks

        @professormanhattan said in Selective Routing with FQDNs - Subdomains Matter?:

        Hey, I'm selectively routing my traffic through a VPN. I have an alias with a bunch of domain names that bypass the VPN. My question is: Do I have to specify the exact domain or can I just provide the root domain?

        For example, can I add arizona.edu to the selective routing alias if I want to match mirror.arizona.edu?

        FQDN aliases are not resolved "on-the-fly" by the firewall packet-by-packet. Instead, a separate process called filterdns runs similar to a crontask. The filterdns daemon goes through the FQDN alias list once very 5 minutes by default and resolves the domain names to IP addresses. Each FQDN alias must be complete. No wildcard characters are allowed. So in your case, if arizona.edu and mirror.arizona.edu resolve to different IPs (and I assume they do), then you have to list them separately in the alias. When filterdns resolves the FQDN to an IP address, it puts that IP address in a pf firewall engine table having the same name as the alias. You can see these tables under DIAGNOSTICS > TABLES from the pfSense menu. The firewall rules are actually matching realtime on the IP addresses in these tables. So your alias names in firewall rules are actually the names of these pf tables, and the IP addresses in those tables are what are matched.

        While the use of FQDN aliases is indeed a cool feature, it has limitations. Consider the case of a CDN where some DNS records are returned with very short TTL values. Some of these CDNs return DNS TTL values that are less than the 5-minute execution interval of filterdns. So that means the firewall may have one IP address currently in the alias table that it is matching against, while some client on your network just recently did a lookup and got a different IP value for the CDN that is not the same as the one the firewall has at that moment.

        Edit: I should have mentioned that filterdns will process multiple IP addresses for a given domain. So something like google.com will result in several IPv4 and IPv6 addresses getting stored to the alias pf table.

        P 1 Reply Last reply Reply Quote 1
        • P
          ProfessorManhattan @bmeeks
          last edited by

          @bmeeks Thank you.. this answers my question

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.