Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alias creation from DNS lookup

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itsatarp
      last edited by

      Brand new here and I'm sure I missed something in the docs but…

      I have a functioning firewall acting as the gateway to these internets :)
      Have a few inbound NAT servcies using port forward & 1:1

      pfSense v 2.26
      I now would like to block access to some sites (pandora, netflix, etc.)
      I go to the DNS Lookup page and search spotify.com.  Entries resolve and appear on the list.
      I click the 'Create Aliases from these entries' and get 'Alias created with name spotify_com'

      When I go to Firewall > Aliases there is nothing there :(
      Have checked all tabs - IP PORTS URLs ALL
      Have rebooted server

      Any ideas what I'm doing wrong or where to check next?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • F
        Fahrenhe1t
        last edited by

        Weird, I followed your instructions.  I clicked "Create Alias From These Entries" and it said "Alias created with name spotify_com".  When I click Firewall > Aliases, it shows up at the top, in the "IP" tab.

        1 Reply Last reply Reply Quote 0
        • I
          itsatarp
          last edited by

          Thanks for the check Fahrenhe1t.

          This makes me happy and sad but at least I can direct my attention away from the procedure!

          iat

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That is not likely to actually help you block sites such as those. Large sites have many addresses that rotate or change depending on several factors. Using a single DNS query isn't going to catch them all, and even if you used the hostname directly in an alias (which is better) instead of doing the DNS lookup, the result can still be different for the firewall and for clients.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • I
              itsatarp
              last edited by

              wait…I thought I was following the recommended method to block sites?  Is there a better solution inside pfSense to block?  I'm not looking to block the world...just a few of the biggies (netflix, pandora, spotify).  Maybe ten total.

              iat

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                DNS-based alias methods will only block sites that have one static IP address or a group of static addresses all returned in the same DNS query, which limits its effectiveness. It won't work for large sites with many addresses, CDNs, and so on.

                What you would need is a proxy, or to control the DNS queries themselves, or block by AS. pfBlocker may be a good place for you to start without having to resort to a proxy.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • G
                  gbreadman
                  last edited by

                  Yes. I used to block using an alias of a list of IPs I obtained from a DNS lookup..
                  I managed to successfully block Facebook but not Twitter.
                  I also tried using "facebook.com" and "twitter.com" instead but still get the same result.
                  Turns out, the method above only grabs the first couple of IPs. Another down side is that these sites can change their IPs from time to time, so you would have to manually reconfigure.

                  What solved my problem is by using pfBlockerNG's alias feature (under IPv4 tab).
                  You can use sites like http://bgp.he.net/cc then search "facebook". get all the ASNs there and also "facebook.com"
                  add it to the alias eg.:

                  • facebook.com
                  • AS12345
                  • AS67890
                  • AS77777

                  after saving your configurations, go to Update tab and do a "force reload".
                  You should be able to see how many IPs you automatically retrieved.
                  Also depending on your config, pfBlockerNG automatically UPDATES the aliastable which is the best part. :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.