Trouble with allowing outside connection with domain name
-
Hey everyone,
in our setup we are not allowed to have an ANY Rule outgoing to the internet. A lot of providers, like Microsoft provied a list of IP Adresses which I'm able to allow. Now services like Proxmox doesn't provide a list, therefore I'm forced to set a alias with the domainname download.proxmox.com. For that case I need to access the Proxmox Repository. Now it happens time to time that my server can't reach the repository and I see a blocking firewall event. Which means to me the DNS Result on the firewall is a different of my client. Suprises me, then the DNS Server for my network is my pfsense.
Is there a better way to allow outgoing connections based on domainnames?
-
@Gamienator-0 High traffic web sites or content delivery networks will often rotate IP addresses sometimes every minute. That one has a very short TTL:
download.proxmox.com. 61 IN CNAME download.cdn.proxmox.com.
download.cdn.proxmox.com. 12 IN CNAME us.na.cdn.proxmox.com.
us.na.cdn.proxmox.com. 12 IN CNAME na.cdn.proxmox.com.
na.cdn.proxmox.com. 59 IN A 66.70.154.82pfSense looks up the IP every 5 minutes by default. There will always be a chance the DNS lookup is not the same IP every time you check it, even if it is a few seconds later.
The pfBlocker package can create aliases from ASNs which are basically IP blocks you can look up by company name.