Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Auto-update for alias from Diagnostics DNS Lookup

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MaxBishop
      last edited by MaxBishop

      I have an alias created from the Diagnostics->DNS Lookup menu item:
      example.com: 93.184.216.34

      I can see the alias definition in /conf/config.xml (which I'm guessing is only read at boot):

      <alias>
                              <name>example_com</name>
                              <type>network</type>
                              <address>93.184.216.34/32 2606:2800:220:1:248:1893:25c8:1946/128</address>
                              <descr><![CDATA[Created from Diagnostics-&gt; DNS Lookup]]></descr>
                      </alias>
      

      Suppose example.com were to change frequently and I wanted to pass connections from it to a device on the LAN.

      From a shell I can determine the IP:

      echo `dig example.com`| awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip}'
      

      Is there a way that I can pass the output to the active configuration to update the alias?

      1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by bmeeks

        If I understand your request correctly, sounds like you simply want a FQDN Alias (fully-qualified domain name). You can create one under FIREWALL > ALIASES. Here is a link to the official documentation: https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html.

        FQDN aliases are "refreshed" by the firewall once every 5 minutes. That means a process on the firewall resolves the hostname (or domain name) once every five minutes via a cron task and updates the physical IP address in the firewall rule(s) where the alias is used.

        M 1 Reply Last reply Reply Quote 1
        • M Offline
          MaxBishop @bmeeks
          last edited by

          @bmeeks

          Much easier!

          Thanks

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB Offline
            bmeeks @MaxBishop
            last edited by

            @maxbishop said in Auto-update for alias from Diagnostics DNS Lookup:

            @bmeeks

            Much easier!

            Thanks

            One important thing to remember about FQDN aliases is they are updated at most once per 5 minutes. And if the domain you are resolving uses any kind of CDN or load balancer, it is quite possible that the IP address the firewall resolves for the domain might differ at any point in time from the IP address a client on your network may have just resolved or cached. This is especially true if the client is using a DNS server that is not the same one as the firewall is using.

            So the short answer here is that if the domain name in the FQDN is a slowly-changing somewhat static IP, things will work as expected. But if you try to use a FQDN to block something like "facebook.com" or "youtube.com", don't expect it to work very well (if at all). Many of those DNS records have extremely short TTL (time-to-live) values.

            johnpozJ 1 Reply Last reply Reply Quote 1
            • johnpozJ Online
              johnpoz LAYER 8 Global Moderator @bmeeks
              last edited by johnpoz

              ^ exactly! rapidly changing IPs for some fqdn can be problematic at best. Or if the client is using different dns than pfsense, say doh or something you can run into mismatches with what pfsense knows for the IPs and what the client is using for IP to access the site.

              While you can adjust how often pfsense resolves the alias fqdn from the default 5 minutes. Depending that still can be problematic if the client is using something different than pfsense to resolve the fqdn.

              Many of those DNS records have extremely short TTL (time-to-live) values

              This is trend not a fan of at all - see short ttls on many records.. Why should I query for something every 60 seconds.. Its stupid to have such short ttls unless your in the middle of changing where this fqdn is going to point.. This is not a good load balancing sort of thing like back in the days before load balancers and use of round robin dns responses - even then no need for such short ttl to load balance which servers get hit for some fqdn, etc.

              I think its more of a way for these dns providers to drive more traffic to them be it charging per query or just info to glean from how often specific IP might query for something vs doing a query once that has say 2 hour ttl and not knowing if the client was using the resource for 5 minutes or 2 hours, tec.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB Offline
                bmeeks @johnpoz
                last edited by

                @johnpoz said in Auto-update for alias from Diagnostics DNS Lookup:

                Many of those DNS records have extremely short TTL (time-to-live) values

                This is trend not a fan of at all - see short ttls on many records.. Why should I query for something every 60 seconds.. Its stupid to have such short ttls unless your in the middle of changing where this fqdn is going to point.. This is not a good load balancing sort of thing like back in the days before load balancers and use of round robin dns responses - even then no need for such short ttl to load balance which servers get hit for some fqdn, etc.

                I think its more of a way for these dns providers to drive more traffic to them be it charging per query or just info to glean from how often specific IP might query for something vs doing a query once that has say 2 hour ttl and not knowing if the client was using the resource for 5 minutes or 2 hours, tec.

                Same here - I agree. No good reason to have such short TTL values unless there is an ulterior motive like you said ... 🤔.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator @bmeeks
                  last edited by johnpoz

                  @bmeeks I have set min ttl of 3600 on my unbound.. Everything works - so its not like these sites are changing IPs they use every 5 minutes and old IP no longer works.. ;)

                  I would normally say do not mess with the ttls that the owners have set, but 60 seconds, 5 minutes - FU! that is insane unless you were getting ready to do a big change to another IP, etc.

                  I guess it does give you the ability to change IPs on the fly and nobody to notice at all - but I sure and the F do not want to be doing a query every 60 seconds because your shit might fail ;) In this day and age of load balancers and ability to ramp up processing power on your server (since its VM) and network access on the fly.. There should be little reason that I have to query for www.domain.tld every freaking 60 seconds..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.