BUG? - DNS Resolver Access List /31 UI Issue

mscaff

Hi All,

I'd like to report a potential bug I am experiencing on pfSense (using the latest version 2.4.4p3).

Consider the below list of /32s whose queries are to be denied by the DNS Resolver as per the rule policy.

Once attempting to add an additional host to this list, like the below, all the /32s convert to /31s, and you will see the UI does not allow you to revert this back to /32s (happening on multiple browsers). As a result the rules are saved as /31 and 2 hosts are affected by this rule, not one (due to /31). This can be corrected if you re-edit the rule after saving, however to the untrained eye this will cause DNS issues to hosts.

I've noticed this recently as my vCenter Appliance (10.1.1.15) stopped resolving hostnames and lost connection to ESX hosts (via FQDN) once I added my 10.1.1.14 client to the deny ruleset. At some point once I made an edit on this page, the /32s converted to /31s, and the 10.1.1.14 rule also affected 10.1.1.15, my vCenter App.

Is this a known bug? It appears to be very consistent and have noticed it for some time.

Please could some others assist with checking this out on their setups to confirm?

As a feature request, I'd like to see aliases as usable in this menu, is that possible at all?
This will allow us to have more granularity around DNS access lists.

Thanks!

johnpoz

Oh that is the acl list in unbound...

seeing the same behavior - yeah this is a bit odd... my guess is typo in the code for the dropdown list. Since it switches from /128 listing of all of them to 0-31..

Need to look if there is a redmine on this already - if not create one.

mscaff

https://redmine.pfsense.org/issues/9586

Lodged a redmine ticket here.

Thanks