Limiting based on DNS rather than address/CIDR?



  • Is it possible to do bandwidth limiting based on the domain name of a target network rather than merely its network address or mask?

    The modern world of cloud based computing makes restrictions based on static addresses essentially irrelevant. A cloud service provider can rapidly spin up new servers on entirely new address ranges, and there is no easy way to detect these changes without constant manual probing of packet logs to see where local devices are connecting.

    If it is not currently supported, here is how I can see it working:

    1. pfSense is used as a DNS forwarder or DNS resolver for client devices.

    2. Maintain a cache of DNS lookups that are selected as to be rate limited, and keep it separate from the regular DNS cache.

    3. Client devices may hold onto cloud server connections long after they have expired from the normal DNS cache, so this second cache should store lookups to be rate limited for much longer, and potentially forever until the next lookup of that same domain.

    4. When shaping/limiting, check whether a new connection is listed in the cache of domains to be limited, and then apply the appropriate dynamic limits for that address/CIDR.



  • Lower layers know nothing about upper layers, and typically you don't want upper layers knowing anything about lower layers. Firewalling is at layer 3 & 4, DNS is at layer 7. The firewall knows nothing of DNS and DNS knows nothing of the firewall.

    That being said, there are products out there that couple layers together in order to do "advanced" firewalling, but it really just means "we're breaking the taboo of layer leakage". For encrypted connections, this typically means breaking the encryption or integrating with the browser or whatever application, usually increasing a client's attack surface. Layer isolation is more like guidelines that rules. There's always going to be a reason to bend or break a rule, but if you don't know what you're doing, you're probably going to shoot yourself in the foot, even if you don't realize it.

    The absence of evidence is not the evidence of absence. Just because you don't realize you're breaking something, doesn't mean you're not. It just means you're probably not asking the right questions or all of them. And I don't mean asking other people questions, I mean asking yourself questions. You understand your problem better than anyone else. Someone may be able to answer the question of "can you", but no one but you can answer the question of "should you". A personal rule of thumb is anyone who has to ask how to do something doesn't understand the problem well enough to answer if they should.

    /end philosophical rant

    I wish you well on your journey and hope someone can give you a real answer.

    P.S. If your reason for limiting bandwidth is to save bandwidth, there's no "follow this guideline", but if your reason is for latency or fair sharing bandwidth "hogs", then look into fq_codel or FairQ+Codel. They may get you most of what you want/need with little effort.



  • Actually there is a way.
    Exercise left to the reader as on to how.
    Hint: Aliases with firewall rules.


  • LAYER 8 Netgate

    Possibly if you had a list of FQDNs to resolve but there is no way to get a list of IP addresses into an alias using just the "domain name"  like "cloudfront.com."

    Someone would have to do the actual legwork there and keep a URL table alias updated.


Log in to reply