Dynamic alias with history
-
An alias which resolves to IP addresses for several domain names is a standard feature in pfsense.
Is it possible to set up an alias which includes current but also some historical IP addresses for each of the domain names?Use case.
Firewall rules can be readily set up in pfsense to effectively black list or white list particular web sites.
Unfortunately many of the larger content providers regularly change what IP address each domain name resolves to. Which caused a problem with synchronisation between local network devices cached IP address and that of the local network boarder fire wall.A solution would be to use an alias in pfsense firewall rule which is appropriate for both current and recent historical domain name resolution. Supporting the functionality would mean when an alias is updated, a circular buffer of past alias updates is maintained. The actual alias IP addresses returned would then include the currently resolved IP addresses as well as those from a few of the past updates.
Firewall rules using these alias with history would enable a firewall rule on the edge router to black listing or white listing access to sites with dynamic IP addresses by local network devices. A very useful feature IMO.
Is this possible with pfsense or using one of pfsense addons?
-
@Patch said in Dynamic alias with history:
Which caused a problem with synchronisation between local network devices cached IP address and that of the local network boarder fire wall.
Not saying this can not happen.. But if the firewall looks up www.domain.tld, this would be cached for the length of the ttl. The client then asking pfsense for www.domain.tld would get that record with the ttl that unbound on pfsense has left..
Lets say pfsense looks up the fqdn and gets a ttl of 1 hour, if client asks pfsense 1 minute later its cache would be for 59 minutes..
Where you more likely to see this is when the client is using some external dns and not pfsense. So pfsense might have looked that fqdn 30 minutes ago.. And client using some outside dns might get something new and be different than what pfsense has in its cache.
You would see way less of such issues if you force your clients to use pfsense for dns.. Then they would always have the same IP that pfsense has for any fqdn.
-
@johnpoz I agree that is how it is supposed to work. The problem with the logic is some service providers and devices deliberately choose a different interaction which is beyond my control. IOT and data mining big tech being the major offenders. I suspect these groups also do not want users to be able to black list or white list specific services within their product suite. Hence my desire for a locally controlled solution.
Imo it should work as the content providers continue to respond at old IP addresses as they do not have control of when in practice clients will update their DNS cache and their IP address updates are typically the changes are for load balancing and data collection not really old server decommissioning.
-
@Patch pfBlocker can create aliases from ASN but that may be wider than you want.
-
@SteveITS I run pfBlocker and like it but I have found ASN not very useful with the large tech companies.
I suspect they would be useful if used in conjunction with more specific (history alias) using one to white list and the other to black list. -
@Patch said in Dynamic alias with history:
Supporting the functionality would mean when an alias is updated, a circular buffer of past alias updates is maintained.
Thinking about it more that's not a good solution.
A better solution is to maintain an array of current IP addresses which contains both the IP address and the time it was last verified. Then when updating the Alias table currently used by pfsense- Delete entries from the history array older than the retention setting for this alias
- Add / update array entries from this alias' definition
- Copy the IP addresses from the history array to the table for this alias.
-
Hi
Unfortunately, there is no out-of-the-box solution to this problem. I searched for a long time , but the result turned out to be zero. I had to remember my programming skills and solve this problem on my own.
PF developers have created a mechanism for user interaction with the system kernel (this mechanism is used by the pfctl utility)https://man.freebsd.org/cgi/man.cgi?query=pf&sektion=4&apropos=0&manpath=FreeBSD+14.0-RELEASE+and+Ports
To solve the problem, you need to intercept the DNS server responses (with a certain pattern) and enter them yourself into the desired table.
Thus, you can fill in the IP address table yourself, and use alias to create the necessary rules. -
You created something to do it? A script or similar?
-
nice information