How often is a dynamic DNS alias resolved to IP?



  • Hi everyone,

    Does pfSense resolve dynamic DNS urls that are set as Aliases and used for source inbound each and every time? or does it use a cached IP for them? I would like it to use the resolved IP if that doesn't slow things down and if it doesn't put a lot of strain on system. Or at least resolve it every 10 seconds maybe?

    What do I want this for?
    I want to be able to authorize only SIP traffic that is coming from sites which are authorized to send me traffic so that I don't expose my Asterisk server to whole world. Right now I am using OpenVPN at each site and it works beautifully but there is a lot of management overhead to it. So, if I can part way with OpenVPN the only way I can think is to setup dynamic DNS and have pfSense authroize packets only if dynamic DNS IP resolve matches the incoming IP to pfSense and then forward packets to my Asterisk. These are all SIP UDP and RTP UDP traffic.

    Any input and creative input is much appreciated.


  • Banned

    5 minutes IIRC. 10 seconds is definitely crazy.



  • @doktornotor:

    5 minutes IIRC. 10 seconds is definitely crazy.

    Thanks for reply doktornotor.
    Can this value be changed? where is it set? Would it be very bad if I set it to 30 seconds?

    Thanks


  • Banned

    System - Advanced - Firewall/NAT - Aliases Hostnames Resolve Interval



  • @doktornotor:

    System - Advanced - Firewall/NAT - Aliases Hostnames Resolve Interval

    I am running version 2.0.x - which version are you saying that in? I only have this regarding Aliases:

    [b]Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined. 
    Note: Leave this blank for the default.	 On your system the default size is: 200000[/b]
    

  • Banned

    2.1 of course! :P Time to upgrade.



  • @doktornotor:

    2.1 of course! :P Time to upgrade.

    Are you saying this can't be found in 2.0?
    I have to well prepare for a 2.1 upgarde. Can I simply dump the config.xml file from 2.0 into 2.1 and expect everything to work just fine?


  • Banned

    If you want to do a clean install, yes… Just import the config.xml backup when the install is finished. (Otherwise, you can upgrade via System - Firmware).



  • No any other way to change that using other system turntables or changing a config file?

    Thanks,



  • Does it still accumulate all previous addresses for an FQDN? When are the old entries removed? How do I make it keep only the addresses from the last query (A record returns multiple addresses simultaneously; Round robin only changes the order but all are still returned in a single query)?



  • Yes, it is still accumulating IP address in the Alias. This is the behavior in 2.1 and 2.1.1 (intentional or otherwise). And yes, I agree that it should clean out old IP addresses and only keep the results of the latest (successful) query.
    Myself, I can't think of a use case for accumulating the IP addresses over time - but if someone can explain why they want it to do that, then it could be made an option on an FQDN alias - to accumulate or not.
    Cross-reference to the RedMine issue: https://redmine.pfsense.org/issues/3199



  • This is interesting behavior. I did not realize the IPs were being added to a 'table'. I can see use cases where this might be desirable but in general I would assume the preferred behavior would be to simply overwrite the IP (or IPs if multiple 'A' records are returned) each time it's queried.

    I am running into what I think may be a bug (?) with 2.1-STABLE where I have a dynamic-DNS record set up as an IP Alias and then a corresponding Firewall Rule in place to allow access to port 80 (for webAdmin) from that dynamic IP. This works pretty well but I find that sometimes while I'm making config changes I get locked out for up to a minute or so. It seems that if the query fails or maybe if I hit the pfSense box exactly at the moment the DynDNS is being queried, then it blocks me. I could be wrong about this.

    I would have liked it if the IP was cached for at least 2-3 tries before removing it from the allow list. That way if a temporary DNS blip occurred you would not be locked out of the firewall. If the Query failed e.g. 3x in a row or returned NXDOMAIN then I would say "ok time to remove this from the alias list".

    Has anyone else run into something similar?



  • The names are queried every 5 minutes by default, and the table updated (added to at the moment). So it can around 5 minutes before it recognises the new IP you are coming (plus whatever lag there is in your remote client setting the dynamic name and it propagating in the public DNS system to be seen by the pfSense).
    The 5 minutes is configurable in system advanced somewhere - I don't have a webGUI in front of me right now to find it.



  • @phil.davis:

    The names are queried every 5 minutes by default, and the table updated (added to at the moment). So it can around 5 minutes before it recognises the new IP you are coming (plus whatever lag there is in your remote client setting the dynamic name and it propagating in the public DNS system to be seen by the pfSense).
    The 5 minutes is configurable in system advanced somewhere - I don't have a webGUI in front of me right now to find it.

    I know this thread is somewhat old, but I have received no response after creating my own thread for a relevant issue. Can anyone tell me where the table of resolved IP's are located so I can remove entries? I had created an IP alias containing multiple FQDNs. After removing a few of the FQDNs that were entered as a test, the domains are still being blocked (unless I turn off the rule or recreate the list). Is there a way, via CLI, to edit the table housing the resolved IPs??

    Thank you!


  • Rebel Alliance Developer Netgate

    Diagnostics > Tables. Pick the alias name from the drop-down.

    Or look up the pfctl man page and check the section on table commands for the CLI way