Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Alias by FQDN - Refresh time?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      ajrg
      last edited by

      Does anyone know how often firewall aliases are refreshed, when FQDNs are used?

      It it driven by the DNS TTL, or is there some cron job/similar?

      Planning on using this to control client machine access to resources (via AD Security Groups), so that when a client machine moves between sites (or it's IP changes for whatever reason), the firewall rules get updated automatically.

      1 Reply Last reply Reply Quote 0
      • M Offline
        muswellhillbilly
        last edited by

        In my experience, if you set up an alias on a PFS firewall, it's for an IP or network, not an FQDN. Rules can't be modified on the fly depending on whether an IP address bound to a particular host changes.

        What resources (via AD groups) are you trying to provide/limit access to? Most AD resources are local, so I'm not even sure how a firewall would be applied in this instance.

        1 Reply Last reply Reply Quote 0
        • A Offline
          ajrg
          last edited by

          You can use FQDNs in the place of IPs for firewall aliases; my use case is having DNS records for an FQDN filled with A records, according to the contents of an AD security group (the magic for which our Windows Server guy is sorting out).

          pfSense then looks up that FQDN (against a pool of Windows DNS servers already configured in pfSense), and stores the resulting A records, which are used whenever that Alias is used in a firewall rule.

          What I need to know is, how often is the DNS lookup done? Do the records last as long as their TTL, or is there a cron job (or similar) that runs every hour/day, etc. - the functionality is there and it works, I just don't know how long it takes for a changed A record to be acknowledged and acted upon.

          It's a really nice way of guaranteeing access regardless of which VLAN/subnet a machine ends up in (for example, when switching between wired or wireless), or even regardless of which site the machine is at.

          1 Reply Last reply Reply Quote 0
          • H Offline
            Harvy66
            last edited by

            The IPs returned by a FQDN are not always the same per request. If I do an nslookup on my computer, I can get different results than what my wife or PFSense would get.

            Just a heads up.

            1 Reply Last reply Reply Quote 0
            • A Offline
              ajrg
              last edited by

              https://doc.pfsense.org/index.php/Aliases#Aliases_and_Hostnames

              Ergh, that's embarrassing! Every 300 seconds, it turns out.

              ::)

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.