Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs

    Captive Portal
    2
    3
    274
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexs20
      last edited by

      It seems like it somehow caches ip addresses (or resolves only one ip address) and then never refresh them. As result the traffic sometimes pass through and sometimes it gets redirect responses from pfSense. The only solution is to add IP addresses instead of domain name but that workaround has two problems 1 - it does not accept IPv6 addresses, 2 - CDN changes its IP addresses every time and there is no way to create a full list.
      Any solution to workaround it properly?
      Thanks

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @alexs20
        last edited by Gertjan

        @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

        (or resolves only one ip address)

        That's correct : just one - or actually, the first that "comes back" from a classic DNS request.

        @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

        it does not accept IPv6 addresses

        The Captive portal doesn't support IPv6.

        @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

        CDN changes its IP addresses every time and there is no way to create a full list.

        All the big ones, like Facebook, Google, twitter, etc etc etc use a huge number of IP's.
        The are put to 'work' and taken back out of the 'DNS published, usable by the public, IP list'. That how 'they' take down servers for maintenance, handle load balancing on a world and regional bases, etc.
        You locking down to a lists of IP's will break things rapidly, as the list doesn't stay 'valid'.

        Example : something in Paris happens, and is posted by that one (1) guy that has a photo. He posts it on Facebook - and the thing goes viral. The facebook infrastructure detects a huge hit rate on the "France" servers, and starts to add IP's to the DNS list as it will be resolved in France, to control/mitigate the load.
        When things calm down, some of these IP's are taken out again.
        O your side, it's just impossible to maintain a list up to date.

        Btw : the same method is used to mitigate DOS attacks.

        So, in short : trying to obtain a list with all IP's for certain URL is impossible for the big ones, and sites that use CDN.

        The "URL to IP" works fine for the normal "sites hosted at IP x" or a DynDNS type host.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • A
          alexs20
          last edited by

          thanks for answer, at least somebody confirmed my suspicions. i know that it is impossible to track all CDN IP addresses, and that sucks because I had very big expectations about pfSense captive portal. Looks like we can not use it for our purpose..

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.