Parsing DNS replies from PfBlockerNG DNS-reply logs to use as alias and do PBR
-
I wrote a simple and ugly one-line script to parse DNS replies that PfBlockerNG (Python mode) logs generate. What it does is look for specific domain or wildcard domain that was queried and takes the response A or AAAA and outputs it to a text file.
This way, you can create a custom IP list that has all the IPs that were the answer to a given queried domain or wildcard domain.
Then you can define a new IP list in PfBlockerNG and points it to the local text file and specify Action: Alias Native.In the past, I have been doing this by doing packet capture and parsing DNS in a separate box, then creating a pfsense alias and pointing it to the parsed remote list.
Now after learning that PfBockerNG can generate DNS reply logs, it can be done locally (and maybe dynamically in real-time in the future.)
The point of all of this is to be able to do Policy-Based-Routing for services that utilize CDNs. (eg. Netflix.)
tail -n 10000 /var/log/pfblockerng/dns_reply.log | awk -F, '$7 ~/gamepass.com/ {print $0 ; fflush(stdout)}' | awk -F, '$4 ~/A/ {print $0 ; fflush(stdout)}' | awk -F, '$5 ~/CNAME/ {print $9 ; fflush(stdout)}' | sort -u >> /usr/local/www/pfblockerng/pasrsedDnsGamepass.txtThe domain here is gamepass.com.
This can be scheduled using cron.
Limitations:
- This does not work on real-time, it depends on the cronjob frequency and PfBlockerNG updateip frequency. For example, if a domain is queried for the first time, and for example you are trying to redirect Netflix traffic, you may have to wait until the alias is updated.
`
I think the idea can done more elegantly using Python and maybe also integrated natively on the webUI.
Maybe @BBcan177 can look into it.