• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Selective Routing with FQDNs - Subdomains Matter?

Scheduled Pinned Locked Moved Firewalling
3 Posts 2 Posters 424 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    ProfessorManhattan
    last edited by Feb 24, 2021, 6:11 AM

    Hey, I'm selectively routing my traffic through a VPN. I have an alias with a bunch of domain names that bypass the VPN. My question is: Do I have to specify the exact domain or can I just provide the root domain?

    For example, can I add arizona.edu to the selective routing alias if I want to match mirror.arizona.edu?

    B 1 Reply Last reply Feb 24, 2021, 1:26 PM Reply Quote 0
    • B
      bmeeks @ProfessorManhattan
      last edited by bmeeks Feb 24, 2021, 1:38 PM Feb 24, 2021, 1:26 PM

      @professormanhattan said in Selective Routing with FQDNs - Subdomains Matter?:

      Hey, I'm selectively routing my traffic through a VPN. I have an alias with a bunch of domain names that bypass the VPN. My question is: Do I have to specify the exact domain or can I just provide the root domain?

      For example, can I add arizona.edu to the selective routing alias if I want to match mirror.arizona.edu?

      FQDN aliases are not resolved "on-the-fly" by the firewall packet-by-packet. Instead, a separate process called filterdns runs similar to a crontask. The filterdns daemon goes through the FQDN alias list once very 5 minutes by default and resolves the domain names to IP addresses. Each FQDN alias must be complete. No wildcard characters are allowed. So in your case, if arizona.edu and mirror.arizona.edu resolve to different IPs (and I assume they do), then you have to list them separately in the alias. When filterdns resolves the FQDN to an IP address, it puts that IP address in a pf firewall engine table having the same name as the alias. You can see these tables under DIAGNOSTICS > TABLES from the pfSense menu. The firewall rules are actually matching realtime on the IP addresses in these tables. So your alias names in firewall rules are actually the names of these pf tables, and the IP addresses in those tables are what are matched.

      While the use of FQDN aliases is indeed a cool feature, it has limitations. Consider the case of a CDN where some DNS records are returned with very short TTL values. Some of these CDNs return DNS TTL values that are less than the 5-minute execution interval of filterdns. So that means the firewall may have one IP address currently in the alias table that it is matching against, while some client on your network just recently did a lookup and got a different IP value for the CDN that is not the same as the one the firewall has at that moment.

      Edit: I should have mentioned that filterdns will process multiple IP addresses for a given domain. So something like google.com will result in several IPv4 and IPv6 addresses getting stored to the alias pf table.

      P 1 Reply Last reply Feb 24, 2021, 3:12 PM Reply Quote 1
      • P
        ProfessorManhattan @bmeeks
        last edited by Feb 24, 2021, 3:12 PM

        @bmeeks Thank you.. this answers my question

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received