BUG? - DNS Resolver Access List /31 UI Issue



  • Hi All,

    I'd like to report a potential bug I am experiencing on pfSense (using the latest version 2.4.4p3).

    Consider the below list of /32s whose queries are to be denied by the DNS Resolver as per the rule policy.

    Picture 1

    Once attempting to add an additional host to this list, like the below, all the /32s convert to /31s, and you will see the UI does not allow you to revert this back to /32s (happening on multiple browsers). As a result the rules are saved as /31 and 2 hosts are affected by this rule, not one (due to /31). This can be corrected if you re-edit the rule after saving, however to the untrained eye this will cause DNS issues to hosts.

    Picture 2
    Picture 3

    I've noticed this recently as my vCenter Appliance (10.1.1.15) stopped resolving hostnames and lost connection to ESX hosts (via FQDN) once I added my 10.1.1.14 client to the deny ruleset. At some point once I made an edit on this page, the /32s converted to /31s, and the 10.1.1.14 rule also affected 10.1.1.15, my vCenter App.

    Is this a known bug? It appears to be very consistent and have noticed it for some time.

    Please could some others assist with checking this out on their setups to confirm?

    As a feature request, I'd like to see aliases as usable in this menu, is that possible at all?
    This will allow us to have more granularity around DNS access lists.

    Thanks!


  • LAYER 8 Global Moderator

    Oh that is the acl list in unbound...

    seeing the same behavior - yeah this is a bit odd... my guess is typo in the code for the dropdown list. Since it switches from /128 listing of all of them to 0-31..

    Need to look if there is a redmine on this already - if not create one.



  • https://redmine.pfsense.org/issues/9586

    Lodged a redmine ticket here.

    Thanks


Log in to reply