1 out of 40 hostnames in alias list not passing yet IP matches



  • I've got an alias list of 40 dynamic DNS hostnames which are allowed inbound on my network over a specific port via a NAT/firewall rule.  However, there is one hostname whose associated IP address always gets blocked inbound over the allowed port.  When I do a DNS lookup for the hostname, the returned IP matches the one showing up in the blocks in the firewall.  All 39 other hostnames pass without issue.  I've tried removing the entry from the alias list and recreating it with no change.

    Not sure where to go from here…



  • @JimPhreak:

    I've got an alias list of 40 dynamic DNS hostnames…
    there is one hostname whose associated IP address always gets blocked... 
    All 59 other hostnames pass without issue. ...

    Not sure where to go from here...

    Math class.



  • @NOYB:

    @JimPhreak:

    I've got an alias list of 40 dynamic DNS hostnames…
    there is one hostname whose associated IP address always gets blocked... 
    All 59 other hostnames pass without issue. ...

    Not sure where to go from here...

    Math class.

    Thanks for the productive reply.



  • Without more information, everything is conjecture:
    It's getting blocked by the default deny rule?
    Are you sure your rules are ordered correctly? User added rules are first match wins.
    Have you tried adding the same rule, with just the host name in question in the alias to rule out anything in the web interface mucking things up?
    Have you considered posting screenshots of the rules and ip alias and firewall logs to give others more information to try and help?



  • @JimPhreak:

    @NOYB:

    @JimPhreak:

    I've got an alias list of 40 dynamic DNS hostnames…
    there is one hostname whose associated IP address always gets blocked... 
    All 59 40 other hostnames pass without issue. …

    Not sure where to go from here...

    Math class.

    Thanks for the productive reply.

    You allow 40 DNS entries to pass, you have 59 that you need, and one of them is not working. At least this is what you've described based on your words.

    DNS is not meant to be used as a canonical source for everything. It is only meant to return a subset of valid responses. Sometimes that subset is the whole set, but many times it is not. I would not recommend using DNS.

    When you said "you" do a DNS lookup, from where? DNS can give different responses at any time to any client.



  • @Harvy66:

    @JimPhreak:

    @NOYB:

    @JimPhreak:

    I've got an alias list of 40 dynamic DNS hostnames…
    there is one hostname whose associated IP address always gets blocked... 
    All 59 other hostnames pass without issue. ...

    Not sure where to go from here...

    Math class.

    Thanks for the productive reply.

    You allow 40 DNS entries to pass, you have 59 that you need, and one of them is not working. At least this is what you've described based on your words.

    DNS is not meant to be used as a canonical source for everything. It is only meant to return a subset of valid responses. Sometimes that subset is the whole set, but many times it is not. I would not recommend using DNS.

    When you said "you" do a DNS lookup, from where? DNS can give different responses at any time to any client.

    First off the 59 was a typo which I've corrected.

    Secondly, I mentioned Dynamic DNS hostnames.  These are setup since the incoming IP addresses change from time to time.  When I do a DNS lookup it's being done on pfSense.  So IP address 78.2.24.87 for example is being blocked inbound.  However, a DNS Lookup on pfSense shows that IP matches hostname mydomain.com which is in the alias list of allowed hostnames.


  • LAYER 8 Netgate

    Diagnostics > Tables will show you the actual contents of the alias. That should show you what's up.



  • @Derelict:

    Diagnostics > Tables will show you the actual contents of the alias. That should show you what's up.

    The same IP that's shown from a DNS lookup shows up in the table for that alias list.



  • Removing the hostname from the alias, rebooting, and re-adding seems to have resolved the issue.


Log in to reply