Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs



  • It seems like it somehow caches ip addresses (or resolves only one ip address) and then never refresh them. As result the traffic sometimes pass through and sometimes it gets redirect responses from pfSense. The only solution is to add IP addresses instead of domain name but that workaround has two problems 1 - it does not accept IPv6 addresses, 2 - CDN changes its IP addresses every time and there is no way to create a full list.
    Any solution to workaround it properly?
    Thanks



  • @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

    (or resolves only one ip address)

    That's correct : just one - or actually, the first that "comes back" from a classic DNS request.

    @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

    it does not accept IPv6 addresses

    The Captive portal doesn't support IPv6.

    @alexs20 said in Allowed Hostnames incorrectly resolving AWS ELB and CDN hostnames with multiple IPs:

    CDN changes its IP addresses every time and there is no way to create a full list.

    All the big ones, like Facebook, Google, twitter, etc etc etc use a huge number of IP's.
    The are put to 'work' and taken back out of the 'DNS published, usable by the public, IP list'. That how 'they' take down servers for maintenance, handle load balancing on a world and regional bases, etc.
    You locking down to a lists of IP's will break things rapidly, as the list doesn't stay 'valid'.

    Example : something in Paris happens, and is posted by that one (1) guy that has a photo. He posts it on Facebook - and the thing goes viral. The facebook infrastructure detects a huge hit rate on the "France" servers, and starts to add IP's to the DNS list as it will be resolved in France, to control/mitigate the load.
    When things calm down, some of these IP's are taken out again.
    O your side, it's just impossible to maintain a list up to date.

    Btw : the same method is used to mitigate DOS attacks.

    So, in short : trying to obtain a list with all IP's for certain URL is impossible for the big ones, and sites that use CDN.

    The "URL to IP" works fine for the normal "sites hosted at IP x" or a DynDNS type host.



  • thanks for answer, at least somebody confirmed my suspicions. i know that it is impossible to track all CDN IP addresses, and that sucks because I had very big expectations about pfSense captive portal. Looks like we can not use it for our purpose..


Log in to reply