Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How often is a dynamic DNS alias resolved to IP?

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 7 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      torontob
      last edited by

      Hi everyone,

      Does pfSense resolve dynamic DNS urls that are set as Aliases and used for source inbound each and every time? or does it use a cached IP for them? I would like it to use the resolved IP if that doesn't slow things down and if it doesn't put a lot of strain on system. Or at least resolve it every 10 seconds maybe?

      What do I want this for?
      I want to be able to authorize only SIP traffic that is coming from sites which are authorized to send me traffic so that I don't expose my Asterisk server to whole world. Right now I am using OpenVPN at each site and it works beautifully but there is a lot of management overhead to it. So, if I can part way with OpenVPN the only way I can think is to setup dynamic DNS and have pfSense authroize packets only if dynamic DNS IP resolve matches the incoming IP to pfSense and then forward packets to my Asterisk. These are all SIP UDP and RTP UDP traffic.

      Any input and creative input is much appreciated.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        5 minutes IIRC. 10 seconds is definitely crazy.

        1 Reply Last reply Reply Quote 0
        • T
          torontob
          last edited by

          @doktornotor:

          5 minutes IIRC. 10 seconds is definitely crazy.

          Thanks for reply doktornotor.
          Can this value be changed? where is it set? Would it be very bad if I set it to 30 seconds?

          Thanks

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            System - Advanced - Firewall/NAT - Aliases Hostnames Resolve Interval

            1 Reply Last reply Reply Quote 0
            • T
              torontob
              last edited by

              @doktornotor:

              System - Advanced - Firewall/NAT - Aliases Hostnames Resolve Interval

              I am running version 2.0.x - which version are you saying that in? I only have this regarding Aliases:

              [b]Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined. 
              Note: Leave this blank for the default.	 On your system the default size is: 200000[/b]
              
              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                2.1 of course! :P Time to upgrade.

                1 Reply Last reply Reply Quote 0
                • T
                  torontob
                  last edited by

                  @doktornotor:

                  2.1 of course! :P Time to upgrade.

                  Are you saying this can't be found in 2.0?
                  I have to well prepare for a 2.1 upgarde. Can I simply dump the config.xml file from 2.0 into 2.1 and expect everything to work just fine?

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    If you want to do a clean install, yes… Just import the config.xml backup when the install is finished. (Otherwise, you can upgrade via System - Firmware).

                    1 Reply Last reply Reply Quote 0
                    • T
                      torontob
                      last edited by

                      No any other way to change that using other system turntables or changing a config file?

                      Thanks,

                      1 Reply Last reply Reply Quote 0
                      • K
                        kathampy
                        last edited by

                        Does it still accumulate all previous addresses for an FQDN? When are the old entries removed? How do I make it keep only the addresses from the last query (A record returns multiple addresses simultaneously; Round robin only changes the order but all are still returned in a single query)?

                        1 Reply Last reply Reply Quote 0
                        • P
                          phil.davis
                          last edited by

                          Yes, it is still accumulating IP address in the Alias. This is the behavior in 2.1 and 2.1.1 (intentional or otherwise). And yes, I agree that it should clean out old IP addresses and only keep the results of the latest (successful) query.
                          Myself, I can't think of a use case for accumulating the IP addresses over time - but if someone can explain why they want it to do that, then it could be made an option on an FQDN alias - to accumulate or not.
                          Cross-reference to the RedMine issue: https://redmine.pfsense.org/issues/3199

                          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                          1 Reply Last reply Reply Quote 0
                          • luckman212L
                            luckman212 LAYER 8
                            last edited by

                            This is interesting behavior. I did not realize the IPs were being added to a 'table'. I can see use cases where this might be desirable but in general I would assume the preferred behavior would be to simply overwrite the IP (or IPs if multiple 'A' records are returned) each time it's queried.

                            I am running into what I think may be a bug (?) with 2.1-STABLE where I have a dynamic-DNS record set up as an IP Alias and then a corresponding Firewall Rule in place to allow access to port 80 (for webAdmin) from that dynamic IP. This works pretty well but I find that sometimes while I'm making config changes I get locked out for up to a minute or so. It seems that if the query fails or maybe if I hit the pfSense box exactly at the moment the DynDNS is being queried, then it blocks me. I could be wrong about this.

                            I would have liked it if the IP was cached for at least 2-3 tries before removing it from the allow list. That way if a temporary DNS blip occurred you would not be locked out of the firewall. If the Query failed e.g. 3x in a row or returned NXDOMAIN then I would say "ok time to remove this from the alias list".

                            Has anyone else run into something similar?

                            1 Reply Last reply Reply Quote 0
                            • P
                              phil.davis
                              last edited by

                              The names are queried every 5 minutes by default, and the table updated (added to at the moment). So it can around 5 minutes before it recognises the new IP you are coming (plus whatever lag there is in your remote client setting the dynamic name and it propagating in the public DNS system to be seen by the pfSense).
                              The 5 minutes is configurable in system advanced somewhere - I don't have a webGUI in front of me right now to find it.

                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                              1 Reply Last reply Reply Quote 0
                              • B
                                bc4gdi
                                last edited by

                                @phil.davis:

                                The names are queried every 5 minutes by default, and the table updated (added to at the moment). So it can around 5 minutes before it recognises the new IP you are coming (plus whatever lag there is in your remote client setting the dynamic name and it propagating in the public DNS system to be seen by the pfSense).
                                The 5 minutes is configurable in system advanced somewhere - I don't have a webGUI in front of me right now to find it.

                                I know this thread is somewhat old, but I have received no response after creating my own thread for a relevant issue. Can anyone tell me where the table of resolved IP's are located so I can remove entries? I had created an IP alias containing multiple FQDNs. After removing a few of the FQDNs that were entered as a test, the domains are still being blocked (unless I turn off the rule or recreate the list). Is there a way, via CLI, to edit the table housing the resolved IPs??

                                Thank you!

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  Diagnostics > Tables. Pick the alias name from the drop-down.

                                  Or look up the pfctl man page and check the section on table commands for the CLI way

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.