Can I use round robin DNS in alias?



  • Hi!

    New to pfsense and wonder if I can use a FQDN in an alias that resolves to multiple ip adresses?

    Will I get a rule for every IP when I use the alias?

    I've found conflicting info on this while searching the web.

    Thanks!

    • Pete


  • At the moment in 2.1 the pf table associated with the alias will accumulate all the IP addresses that are returned as the name is translated each time. So a rule that uses the alias will (more or less gradually) match to all the IP addresses.
    You can see the list of IPs that an alias currently translates to using Diagnostics->Tables.
    In your use case, you probably do want the table to accumulate all the IPs known to be associated with the FQDN.
    In some cases, the user just wants the table to have the latest IP address. This RedMine issue discusses that: https://redmine.pfsense.org/issues/3199



  • OK, so the alias points to a table that pf uses and the table is populated by some script I assume.
    And the script only fetches one DNS A record at a time (even if there are several) and it adds that to the table.
    And the script doesn't take TTL times into consideration so the resolved IP addresses will live forever in the table.

    Did I understand correctly how it works?

    Would it be possible to use for instance dig +short to populate the pf table? Is the table a file or something else in pfsense?

    • Pete


  • The FQDN(s) are checked every 5 minutes by filterdns (you can read the source code, if you like, at https://github.com/pfsense/pfsense-tools/blob/master/pfPorts/filterdns/files/filterdns.c). Whatever IPs are returned by the request are all added at once to the table - see the screenshot example, 30 seconds after adding the Google alias I had this list in the table.
    TTLs are not taken into account. Entries live forever (until reboot or some reason to completely restart pf). If "google.com" returns a different list in 5 minutes, then the new IPs in the list are added to the table.
    The table is a "pf table" - a data structure that the packet filter program keeps inside itself.
    For future readers - this is the behaviour in 2.1-RELEASE - it might change in later releases.




  • Thanks for clarifying how it works today Phil!

    I also checked out the source code so I understand the principle.

    The problem is that the table is in reality a DNS resolver cache so it really needs the same functionality. It needs to keep track of TTL values and count them down so the resolved IPs in the table expire when they should. And of course keep the pf table structure updated so it just contains IPs that hasn't expired.

    That way all IPs would always be current and it would hold onto the IPs as long as it should.

    I don't know how or if there is an OS level DNS cache in freebsd or if getaddrinfo() could use the DNS forward cache in pfsense. It would be elegant to use resolves IPs that way if it works.

    Anyway, that for a future release of pfsense I guess :-)

    Thanks again,

    Pete


Log in to reply