Alias creation from DNS lookup

itsatarp

Brand new here and I'm sure I missed something in the docs but…

I have a functioning firewall acting as the gateway to these internets :)
Have a few inbound NAT servcies using port forward & 1:1

pfSense v 2.26
I now would like to block access to some sites (pandora, netflix, etc.)
I go to the DNS Lookup page and search spotify.com.  Entries resolve and appear on the list.
I click the 'Create Aliases from these entries' and get 'Alias created with name spotify_com'

When I go to Firewall > Aliases there is nothing there :(
Have checked all tabs - IP PORTS URLs ALL
Have rebooted server

Any ideas what I'm doing wrong or where to check next?

Thanks!

Fahrenhe1t

Weird, I followed your instructions.  I clicked "Create Alias From These Entries" and it said "Alias created with name spotify_com".  When I click Firewall > Aliases, it shows up at the top, in the "IP" tab.

itsatarp

Thanks for the check Fahrenhe1t.

This makes me happy and sad but at least I can direct my attention away from the procedure!

iat

jimp

That is not likely to actually help you block sites such as those. Large sites have many addresses that rotate or change depending on several factors. Using a single DNS query isn't going to catch them all, and even if you used the hostname directly in an alias (which is better) instead of doing the DNS lookup, the result can still be different for the firewall and for clients.

itsatarp

wait…I thought I was following the recommended method to block sites?  Is there a better solution inside pfSense to block?  I'm not looking to block the world...just a few of the biggies (netflix, pandora, spotify).  Maybe ten total.

iat

jimp

DNS-based alias methods will only block sites that have one static IP address or a group of static addresses all returned in the same DNS query, which limits its effectiveness. It won't work for large sites with many addresses, CDNs, and so on.

What you would need is a proxy, or to control the DNS queries themselves, or block by AS. pfBlocker may be a good place for you to start without having to resort to a proxy.

gbreadman

Yes. I used to block using an alias of a list of IPs I obtained from a DNS lookup..
I managed to successfully block Facebook but not Twitter.
I also tried using "facebook.com" and "twitter.com" instead but still get the same result.
Turns out, the method above only grabs the first couple of IPs. Another down side is that these sites can change their IPs from time to time, so you would have to manually reconfigure.

What solved my problem is by using pfBlockerNG's alias feature (under IPv4 tab).
You can use sites like http://bgp.he.net/cc then search "facebook". get all the ASNs there and also "facebook.com"
add it to the alias eg.:

• facebook.com
• AS12345
• AS67890
• AS77777

after saving your configurations, go to Update tab and do a "force reload".
You should be able to see how many IPs you automatically retrieved.
Also depending on your config, pfBlockerNG automatically UPDATES the aliastable which is the best part. :)