Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security: FQDN alias vs IP alias

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 902 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      arduino
      last edited by

      Wondering if FQDN alias provides a higher level of security than IP.

      I am using pfSense to query AD for FQDNs for my alias records. I had previously been using IP, but believe this to be a more secure approach.

      Am I correct?

      1 Reply Last reply Reply Quote 0
      • D
        David_W
        last edited by

        Which is more secure depends on several factors.

        FQDN aliases rely on DNS working securely. If you trust the DNS server(s) (as you really have to when using AD) and ideally are using DNSSEC, it is a good solution. I don't know whether pfSense resolves FQDN aliases using DNSSEC, though it is good practice to configure DNSSEC whenever possible. Make sure you test DNSSEC carefully, as it can be tricky to configure correctly.

        IP aliases are immune to DNS related issues, but can be a maintenance headache as they need to be updated manually following a DNS change.

        Enforcing restrictions on local users is best done using 802.1x on your switches and having your RADIUS server allocate the user to the appropriate VLAN based on user privileges. Assuming the connection between the switch and your RADIUS server(s) is appropriately secured (a dedicated AAA subnet is recommended), this prevents users working round restrictions by spoofing their local MAC address and/or allocating a static IP address. A user that cannot provide valid 802.1x credentials will be placed in the guest VLAN if you have one configured, or will have no network access at all.

        For wireless, you can use a similar approach based on WPA2-Enterprise. A suitably configured business grade AP will bridge the user's connection to whichever VLAN was allocated by the RADIUS server.

        If you wish to have fine grained control over access from the outside than 'whole network' rules, there is really little alternative to rules that use some form of alias, though it is worth remembering that you can create VLANs fairly freely if you have suitable switches.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.