Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is there a way to use wildcard subdomains in an Alias?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 715 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sorjal
      last edited by

      I was recently going through some of Microsoft's various endpoints and other connection documentation that they have and they tend to use a lot of wildcard subdomains (if that is the correct term) such as '.notify.windows.com' and '.windowsupdate.com' as listed here at link 'Network Endpoints for Microsoft Intune' and even refer to using FQDN's over IP addresses here at link 'Allow WNS Traffic to the Firewall Allowlist'.

      How can I go about doing so with an Alias, can it be done directly or do I have to do something like using the pfblocker package as a means to do so?

      Thanks in advance!

      S johnpozJ 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Sorjal
        last edited by

        @Sorjal I think the answer's no but the problem is that pfSense resolves those every 5 minutes (by default; IIRC). Since a.windowsupdate.com might resolve differently than b.windowsupdate.com trying to resolve just one may not help you.

        pfBlocker allows creating lists using ASNs, that might help you, to just allow desired Microsoft IPs blocks? e.g.:
        012b2d38-d566-4428-8530-66b9d175dae4-image.png

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Sorjal
          last edited by johnpoz

          @Sorjal those lists like *.domain.com are for use when you use like proxy.. Or some form of web filtering where a name is checked before your allowed. Those would be handy for dns filtering for example..

          But for a layer 3 firewall that filters on IP, you need to scroll down on the link(s) you provide where they list IP ranges.. And allow those.

          here is like a tiny snip from that first link you provided

          *.manage.microsoft.com
          manage.microsoft.com

          104.46.162.96/27
          13.67.13.176/28
          13.67.15.128/27
          13.69.231.128/28
          13.69.67.224/28
          13.70.78.128/28
          13.70.79.128/27
          

          There is no possible way to convert a wild card to an IP.. Because it could be anything that could resolve to any IP at all really.. *.domain.tld = anything.domain.tld - how could you possible go through and resolve every possible combination of anything.domain.tld, could be alsjdfdlsjdsf.domain.tld could be 903y4rnsoduf.whatever.something.otherthing.domain.tld

          Really the possibilities are almost infinite.. The only way you can use such an entry is when your allowing based on something that has the name, like a proxy, or dns query where you allow to query anything.domain.tld, but not say baddomain.tld

          Your firewall that that filters on IP would need to know exactly what your client resolved, to be able to allow or block it based on name. While you can do what with a specific say www.domain.tld, where pfsense queries that every so often and say ok www.domain.tld = 1.2.3.4 and 5.6.7.8, etc.. allow those.. But you can still run into problems where there might be a mismatch where firewall resolved it to 1.2.3.4, but client resolved and tries to go to 4.3.2.1

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.