Allow Hostnames in CP

mohkhalifa

Dear All,
I am facing a problem that we are using some services in our production like time sync (NTP) and security updates ...... etc and they must be always connected to the internet to all of the devices in the LAN Network.
So, I added all the FQDNs to the "Allow Hostnames" in my CP as my CP is configured to my LAN network to bypass that FQDNs from the CP authentication. BUT the problem, all of these services are always changing there IPs and when trying to ping one of this FQDNs not replying.
Please Advise!

Gertjan

Big services like facebook, twitter, google etc don't use fixed known IP's.
They have massive blocks of IP all over the planet, to make the path from the visitor to these serveices as short as possible.
They also switch IP's all the time because services are taken down to be upgraded - or for load balancing reasons, or to mitigate doss attacks, or whatever other reason.
Less known services like Windows update are also heavily sued, although we as end users never connect to them direcly. But our OS does so.

pfSense will parse ones in a while - every 5 minutes or so - all the FQDN list on the captive portal to translate them from URL's to IP's. After all, firewalls can only use IP's, not URLS's. pfSEnse, or what ever other system on earth can not follow the real time changes of the Internet's DNS structure.

Thus, issue is self inflicted.

Production line devices shouldn't be be placed on a captive portal at all.
Or : place these devices on these lists :

so they can go out if needed.

Still : captive portals are used for unknown, non trusted devices that need some human generated traffic like collecting that email or sending an Instagram image. It's a temporality Internet connection that works well as long as the portal knows that a human activated the connection by using a voucher or a password.

mohkhalifa

Thanks @Gertjan for your reply. I agree with you BUT I'm using CP for all my LAN devices because i'm using some attributes for load balancing, Bandwidth limit, session timeout, ........ etc So, I must use the CP for all of them. for example if I passed most of my LAN IPs from the CP that means there is 24/7 internet connection for the employees which is not accepted to our company policy. So, again there are Back-End services MUST work continuously . "WHAT I HAVE TO DO ?"

mohkhalifa

also we are receiving all our emails from office.com or microsoft.com as using Office365 service

mohkhalifa

No solution pfSense's Experts ?!

pete.s.

I can't answer for your office services but for NTP it's a different matter.

If you want reliable NTP service you should not use pool NTP servers. As they say themselves: "If your Internet provider has a timeserver, or if you know of a good timeserver near you, you should use that and not this list - you'll probably get better time and you'll use fewer network resources. "

So pick a few reliable NTP servers close to you and put those in your firewall rules. Public NTP servers that are referenced by their real name (not pool.ntp.org domains) changes their IP extremely seldom or never.

mohkhalifa

Thanks @pete-s for your kind reply. I'm wondering, why pfSense developers can't contentiously resolve hostnames ?

Gertjan

Because :
DNS records used by the big players use round robin system.
A same hostname can receive another IP every time you're asking for it. Reasons are :
=> Load balancing : If European servers are more busy during daytime, some IP's for USA servers are handed over - less used the night.
=> Maintenance : servers farms also need to be updated. So they are taken out, others are put in place.
=> Security : what do think will happen if "some one" obtains all possible IP's of the update servers of Microsoft ? It would be far to easy to DOSS them of the net, impacting the whole world with one click.
=> DNSSEC is coming up fast. But at a price : instead of receiving a reply that weights some 512 bytes, it's several kilo bytes for a reply. And you want all the replies ??
=> Etc. I'm by no means an expert, I just pretend that I I started to understand how DNS works. And what I want as a 'end user' - and what it means when you host a site with several IP's, something I also do.
=> True, big companies own entire AS blocks. They use the IP's in these blocks at their willing, changing the function of an IP with another. Like : you'll pass update.microsoft.com - and block www.microsoft.com. Tomorromw, these two can switch.

What would you do if you have to assure and protect the access to your services ?

It's not a question of developing some kind of super Resolver that would help you.
pfSEnse can't do anything here - neither any other product.
But, hey, I'd be please if I'm wrong here.

Btw : you are using the Resolver, right ? Forwarding to an upstream DNS Resolver is making your problem only worse. You'll be having even less control.

Also : if a solution existed for your question, you could for example use pfBlockerNG-devel, add a list with IP's that should be passed (not blocked, or whitelisted). Or, such a list doesn't really exist.

So, again : your question exists mainly because your own network setup is issues. Change your demands if they create unsolvable problems.

mohkhalifa

Thanks @Gertjan from your kind reply. First of all you must know and understand that I'm really in LOVE with pfSense and really it's an amazing firewall also if we put it in comparison with other NG-Firewalls, pfSense for me is the best.
if I'm faced any kind of problem in pfSense that's NOT mean there is a defect in the product. I just need an advise or a recommendation. That's all
Again, I want to Thank You for your effort in this forum. Really Appreciated :)

Konstanti

@mohkhalifa
Hi
Unfortunately, PFSense does not have a built-in DNS response tool for servers such as Youtube, Netflix, Google and ....
To solve this problem, I had to write my own program (written in C) that intercepts all DNS responses that match a pattern and adds IP addresses from these responses to the PF tables.

What domains do you need to configure ?

Gertjan

@Konstanti said in Allow Hostnames in CP:

To solve this problem, I had to write my own program (written in C) that intercepts all DNS responses that match a pattern and adds IP addresses from these responses to the PF tables.

Hummm. was thinking about that oen also : the "filterdns"process that is used to convert host names (URL) to IP to feed the firewall aliases is swapping IPs. It should add them to an alias (list) that becomes will steadily grow in time.

"filterdns" is a program written by Netgate (pfSense) or some one (C language) of the team, the code is in github.

Here https://github.com/unexpectedBy/pfsense-tools/tree/master/pfPorts/filterdns

mohkhalifa

Thanks @Konstanti for your care. I'm using cloudflare.com, gstatic.com, liveupdate.symantec.com, liveupdate.symantecliveupdate.com, pool.ntp.org, symantecliveupdate.com, time.google.com, office.com