1. Home
  2. pfSense® Software
  3. Captive Portal
  4. Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs

Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs

  • A

    It seems like it somehow caches ip addresses (or resolves only one ip address) and then never refresh them. As result the traffic sometimes pass through and sometimes it gets redirect responses from pfSense. The only solution is to add IP addresses instead of domain name but that workaround has two problems 1 - it does not accept IPv6 addresses, 2 - CDN changes its IP addresses every time and there is no way to create a full list.
    Any solution to workaround it properly?
    Thanks

    0 Gertjan 1 Reply
  • Gertjan

    @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

    (or resolves only one ip address)

    That's correct : just one - or actually, the first that "comes back" from a classic DNS request.

    @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

    it does not accept IPv6 addresses

    The Captive portal doesn't support IPv6.

    @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

    CDN changes its IP addresses every time and there is no way to create a full list.

    All the big ones, like Facebook, Google, twitter, etc etc etc use a huge number of IP's.
    The are put to 'work' and taken back out of the 'DNS published, usable by the public, IP list'. That how 'they' take down servers for maintenance, handle load balancing on a world and regional bases, etc.
    You locking down to a lists of IP's will break things rapidly, as the list doesn't stay 'valid'.

    Example : something in Paris happens, and is posted by that one (1) guy that has a photo. He posts it on Facebook - and the thing goes viral. The facebook infrastructure detects a huge hit rate on the "France" servers, and starts to add IP's to the DNS list as it will be resolved in France, to control/mitigate the load.
    When things calm down, some of these IP's are taken out again.
    O your side, it's just impossible to maintain a list up to date.

    Btw : the same method is used to mitigate DOS attacks.

    So, in short : trying to obtain a list with all IP's for certain URL is impossible for the big ones, and sites that use CDN.

    The "URL to IP" works fine for the normal "sites hosted at IP x" or a DynDNS type host.

    1
  • A

    thanks for answer, at least somebody confirmed my suspicions. i know that it is impossible to track all CDN IP addresses, and that sucks because I had very big expectations about pfSense captive portal. Looks like we can not use it for our purpose..

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy