Selective Routing with FQDNs - Subdomains Matter?
-
Hey, I'm selectively routing my traffic through a VPN. I have an alias with a bunch of domain names that bypass the VPN. My question is: Do I have to specify the exact domain or can I just provide the root domain?
For example, can I add arizona.edu to the selective routing alias if I want to match mirror.arizona.edu?
-
@professormanhattan said in Selective Routing with FQDNs - Subdomains Matter?:
Hey, I'm selectively routing my traffic through a VPN. I have an alias with a bunch of domain names that bypass the VPN. My question is: Do I have to specify the exact domain or can I just provide the root domain?
For example, can I add arizona.edu to the selective routing alias if I want to match mirror.arizona.edu?
FQDN aliases are not resolved "on-the-fly" by the firewall packet-by-packet. Instead, a separate process called
filterdns
runs similar to a crontask. Thefilterdns
daemon goes through the FQDN alias list once very 5 minutes by default and resolves the domain names to IP addresses. Each FQDN alias must be complete. No wildcard characters are allowed. So in your case, if arizona.edu and mirror.arizona.edu resolve to different IPs (and I assume they do), then you have to list them separately in the alias. Whenfilterdns
resolves the FQDN to an IP address, it puts that IP address in apf
firewall engine table having the same name as the alias. You can see these tables under DIAGNOSTICS > TABLES from the pfSense menu. The firewall rules are actually matching realtime on the IP addresses in these tables. So your alias names in firewall rules are actually the names of thesepf
tables, and the IP addresses in those tables are what are matched.While the use of FQDN aliases is indeed a cool feature, it has limitations. Consider the case of a CDN where some DNS records are returned with very short TTL values. Some of these CDNs return DNS TTL values that are less than the 5-minute execution interval of
filterdns
. So that means the firewall may have one IP address currently in the alias table that it is matching against, while some client on your network just recently did a lookup and got a different IP value for the CDN that is not the same as the one the firewall has at that moment.Edit: I should have mentioned that
filterdns
will process multiple IP addresses for a given domain. So something like google.com will result in several IPv4 and IPv6 addresses getting stored to the aliaspf
table. -
@bmeeks Thank you.. this answers my question