[RESOLVED] FQDN alias not working / filterdns.conf does not exist

mkcharlie · Aug 9, 2017, 8:09 PM

Hello,

I'm trying to add a FQDN as an alias, in order to use it in a firewall rule. It should be possible, as mentioned here: https://doc.pfsense.org/index.php/Aliases (section Aliases and Hostnames). However, it doesn't work.

I searched through the forum, and understand now that the tool 'filterdns' should take care of the regular resolving of these FQDN aliases. The filterdns tool indeed exists, but there is no filterdns.conf present on my system (checked /var/etc/ and also find / -name "filterdns*").

Is this supposed to be working, or should I find an alternative?

I'm running 2.3.4-RELEASE-p1 (amd64).

Derelict · Aug 7, 2017, 8:09 PM

Works fine.

What, exactly, did you try?

mkcharlie · Aug 7, 2017, 8:23 PM

I added an ip alias (host) with an FQDN (xxx.eu.auth0.com), and then used that alias in a firewall rule.

I'm not sure if there is something else to add. Do you need more details?

johnpoz · Aug 7, 2017, 8:31 PM

How did you added to the rule, what was the rule - what were the rules above that rule, etc. etc.

I can tell you for sure that putting in a FQDN into an alias works just fine. Pfsense will need to be able to resolve this FQDN - which could be an issue your seeing. When you go to pfsense diag and dns lookup does pfsense lookup this FQDN to the IP you believe it should resolve too?

Keep in mind that you can run into issues with FQDN and ttls and the IPs changing on you, etc. Why are you hiding the FQDN? Is it something internal, or public?

Looks to be hosted by AWS dns

;; QUESTION SECTION:
;eu.auth0.com. IN NS

;; ANSWER SECTION:
eu.auth0.com. 172800 IN NS ns-1429.awsdns-50.org.
eu.auth0.com. 172800 IN NS ns-1665.awsdns-16.co.uk.
eu.auth0.com. 172800 IN NS ns-53.awsdns-06.com.
eu.auth0.com. 172800 IN NS ns-770.awsdns-32.net.

they quite often have really really short TTLs ;) have seen 60s for example - then yeah that could be a problem if you expect to not run into issues if the FQDN resolves to some new IP every 60 seconds, etc.

mkcharlie · Aug 8, 2017, 5:14 AM

In auth0 multiple 'domains' can be created, and depending on the domain the URL becomes <domain>.eu.auth0.com.

I can see the rule with the alias in /tmp/rules.debug. That rule has the correct variable in it ('auth0'). Rules.debug also shows 'persist' als table contents. I understood that that is the normal situation for a FQDN alias. I then wanted to debug the content of the FQDN alias, and read on the forum that I should find it in /var/etc/filterdns.conf.

During my tests yesterday, the domain always resolved to a set of 2 up addresses. This was over a timespan of 2 hours in which I restarted pfsense a couple of times to be sure.

Is a filterdns.conf file created and is filterdns running on your box?

Extra information:
Output of cat /var/etc/rules.debug | grep auth0

table <auth0>persist
auth0 = "<auth0>"
pass  in  quick  on $ELK inet proto tcp  from any to $auth0 port 443 tracker 1502133288 flags S/SA keep state  label "USER_RULE: Auth0 server access"</auth0></auth0>

Screenshot of Diagnostics => DNS lookup

http://imgur.com/a/JPXbw

And an output of the firewall log entry that the traffic is blocked:

http://imgur.com/a/3dwmV
Interface 'ELK' is linked to igb2, which has static IP addresses configured in the 192.168.2.0/24 network. The box 192.168.2.2 has static IP configured.

It is worth noting that this screenshot is from now, and the IP addresses are still the same as yesterday.
I added imgur links both as img as well as hyperlinks, because I seem to do something wrong with the img tags.</domain>

Derelict · Aug 8, 2017, 5:19 AM

OK show us the alias.

Show us Diagnostics > Tables, auth0.

You might as well just stop hiding the hostname since you showed the IP addresses. It just makes it so we can't look at it from our chairs.

mkcharlie · Aug 8, 2017, 6:34 PM

Alias:
http://imgur.com/a/odc5f

Table for auth0 is empty…

EDIT: just tried exactly the same with an ACME url (acme-v01.api.letsencrypt.org). Same issue persists. So there must be something that I'm doing wrong.

johnpoz · Aug 8, 2017, 7:11 PM

did you validate pfsense can actually resolve the FQDN you put in?

that example you used bounces to 2 cnames

;; QUESTION SECTION:
;acme-v01.api.letsencrypt.org. IN A

;; ANSWER SECTION:
acme-v01.api.letsencrypt.org. 7200 IN CNAME api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net. 21600 IN CNAME e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net. 3600 IN A 23.197.31.200

I just duplicated your test fqdn in an alias. Validated pfsense can resolve, created the alias, then validated they are listed in the table for my alias (testfqdn)

Now I am running 2.4 beta - but the steps I posted in the screenshot are exactly the same way you would validate a fqdn you placed in an alias. Validate it resolves.. I would also check what the TTL of the records(s) are.. Then validate it shows up in your table. But yeah if it doesn't show up in the table then not going to be of much use in a firewall rule.

Your not actually trying to use <domain>are you? I just put in some gibberish and it resolves

;; QUESTION SECTION:
;blahslasljdfsldjflsjfds.eu.auth0.com. IN A

;; ANSWER SECTION:
blahslasljdfsldjflsjfds.eu.auth0.com. 3600 IN A 54.93.108.42
blahslasljdfsldjflsjfds.eu.auth0.com. 3600 IN A 52.59.97.214

;; AUTHORITY SECTION:
eu.auth0.com. 91145 IN NS ns-1429.awsdns-50.org.
eu.auth0.com. 91145 IN NS ns-1665.awsdns-16.co.uk.
eu.auth0.com. 91145 IN NS ns-53.awsdns-06.com.
eu.auth0.com. 91145 IN NS ns-770.awsdns-32.net.

</domain>

mkcharlie · Aug 8, 2017, 7:23 PM

Hmm, well thanks for trying. Those entries are exactly the same, and I just tested that the hostname can be resolved in Diagnostics\DNS Lookup.
And no, I'm not using <domain>;).

Other ideas?

I have the feeling that my FW is acting a bit strange. I was having another issue with Squid for a couple of days already, which was suddenly resolved a hour ago. Anyway, I don't believe in black magic so there must be something wrong with my config.

Settings:

</domain>

johnpoz · Aug 8, 2017, 7:57 PM

Yeah you have something broken if your table is not filling in.

But why do you have so may dns listed? Pfsense out of the box would use the resolver, and the only dns listed would/should be 127.0.0.1

mkcharlie · Aug 9, 2017, 7:32 PM

I have no idea about the DNS services. Maybe I added one myself. But the other ones appear by default. Where can I remove them? (in general setup there is only one listed, but indeed in the screenshot there are more).

Edit: i removed the other dns servers, so only 127.0.0.1 present now.

Anyway: problem is persisting.

mkcharlie · Aug 9, 2017, 8:08 PM

I think I figured it out.
I had configured a shellcmd for filebeat. However it seems there is a known issue with shellcmd blocking subsequent processes to start up.

I removed shellcmd, added a new alias, added it to a FW rule, and everything is working smoothly. The fact that my PFSense box seemed to operate normally (with shellcmd), is probably because shellcmd only started the filebeat process at the end of the startup. However, all processes that had to start later (such as filterdns, which has to start after hitting the 'save' button on the alias page) couldn't, as filebeat was still blocking.

Derelict · Aug 9, 2017, 9:00 PM

Custom junk once again.

mkcharlie · Aug 10, 2017, 4:20 AM

Thanks for that constructive final word. If everyone would use the default installation, this forum would not be required.