Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    PSA: Domain name based aliases (filterdns) can fail silently, use pfBlockerNG instead

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 148 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • byakkaB Offline
      byakka
      last edited by byakka

      I've noticed some of my firewall rules are unreliable: they work right after I set them up, but after a while they stop matching, and then later start working again.

      All of the failing rules rely on domain name based host aliases:

      • Firewall → Aliases → IP
      • Type: Host(s)
      • Address: some FQDN (e.g., example.com)

      When the rules fail, I can see that the corresponding tables (Diagnostics → Tables) are empty or only partially populated.

      I'm running pfSense CE 2.8.1 (amd64) using my local AdGuard Home as the only DNS Server. It's a small home environment with only a few rules.

      Trying to debug this, I checked /var/log/resolver.log and found the following filterdns error popping up every so often:

      failed to resolve host ... will retry later again.

      I increased debug output by restarting filterdns with -d 30, and noticed that whenever filterdns can't resolve a name, it removes the existing addresses from the table.

      The error is defined in filterdns.c and it looks like it means getaddrinfo() failed to resolve the name. What's odd is that each time this happened, I could still resolve the same name from another SSH session using getaddrinfo command (or dig for that matter) without any issues.

      I couldn't debug it further, so I decided to stop relying on filterdns for DNS-based tables. As a workaround, I moved all DNS-based aliases over to pfBlockerNG, which (so far) has been a reliable way to maintain hostname-based tables.

      Workaround: build a hostname-based alias via pfBlockerNG

      1. Install the pfBlockerNG package.
      2. Go to Firewall → pfBlockerNG → IP → IPv4
      3. Click Add
      4. Under IPv4 Source Definitions, add one hostname as the "Source" entry
        • Format: Whois
        • State: ON
        • Source: example.com
      5. Under Settings:
        • Action: Alias Native
        • States Removal: Enabled
      6. Under IPv4 Custom_List:
        • Enable Domain/AS
        • Add the rest of your hostnames, one per line
        • Save
      7. Force an update:
        • Firewall → pfBlockerNG → Update
        • Select 'Force' option: Reload
        • Select 'Reload' option: IP
      8. Use the resulting alias (e.g. pfB_<name>_v4) in your firewall rules.

      Hopefully this helps anyone having issues with random host alias failures.

      1 Reply Last reply Reply Quote 1
      • tinfoilmattT tinfoilmatt referenced this topic on
      • First post
        Last post
      Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.