IP Aliases not resolving properly
-
We need to allow email traffic to outlook.office365.com on port 993, which is pretty standard. However, in classic Microsoft style, they seem to be breaking the rules of DNS. Running 'dig' from various DNS servers, gives different answers:
# dig +short outlook.ms-acdc.office.com A jnb-efz.ms-acdc.office.com. 52.98.20.146 52.98.20.178 52.98.20.130
however
# dig +short @8.8.8.8 outlook.ms-acdc.office.com A LHR-efz.ms-acdc.office.com. 52.97.211.194 52.97.211.130 52.97.146.162 52.97.146.210
And a different answer from the tables in pfSense
Outlook_mail_servers Table IP Address 52.98.16.210 52.98.16.226 52.98.16.242 2603:1006:1::2 2603:1006:1:1::2 2603:1006:1:b::2
I have cleared the table contents, but it populated with new different ip addresses again.
What is happening and how do I coerce aliases into working they way I expect it to work?
-
@lifeboy
I created this alias for outlook.office365.com:
Got it from an MS page in the Web and works without issues. -
@lifeboy IMHO that's nothing to do with "MS style breaking rules" but simply with Anycast/Geolocated DNS resolvers that actually try to serve you IPs that are more geo-located near you and thus better suited then others. That's happening all over the place with Google, Youtube and nearly every other big company that uses a CDN in between.
You can't resolve such DNS fqdn with normal means of an Alias in pfSense as it can vary every few minutes depending on what DNS server is responding to you and what its answers are to you. So just creating an alias will change IPs every 15m.
Edit: @viragomann got in between ;) Yeah what virago says. Just have a look at MS Knowledgebase, they have a list of Names and IPs of all their services and which IP blocks they are using for what. You can simply use that hardcoded like @viragomann in an alias or put the JSON/text list from Microsoft in a tool like pfblockerNG and let it update it automatically.
Cheers
Edit: Here's the worldwide endpoints list -> https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
That's the list in JSON format: https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 -
@viragomann, thanks.
Thanks a pretty serious list of addresses, but then I suppose that's what happens when you have to serve as much mail at they do!
-
@jegr, I get it, yes, it's the CDN... (should have known that, clearly having a blonde moment there :-) )
-
@lifeboy said in IP Aliases not resolving properly:
@jegr, I get it, yes, it's the CDN... (should have known that, clearly having a blonde moment there :-) )
As we all sometimes do :) No problem there. ;)
-
@viragomann, please share how you added these as an alias. When I add them they get expanded and it's more the 5000 items...
-
@lifeboy The link provided by @JeGr should have all the possible netblocks used for different aspects of outlook.com and office365.com
Which ones you specific need will depend on exactly what your doing.
If you use the network alias they will not expand.
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#network-aliases -
"If you use the network alias they will not expand."
@johnpoz, thanks, that's what I was looking for.
-