Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ArminF on February 04, 2020, 09:01:14 PM

Title: DNS wildcards in Alias (Hosts)
Post by: ArminF on February 04, 2020, 09:01:14 PM
Greetings,
took a search before i posted as it did not ended with a good result.

Want to migrate my XG and later my UTM to OPNSense and installed a VM to prepare and cleanup my "old mess" to start with something fresh.

Recognized to use as much Aliases in the Firewall as possible to set groups and services together.
As i do have a lot of external WAN connection into the company from home i wanted to create some DNS wildcards.
Like *.company.com and so on. But was not able to archive it.
Do i really have to enter all in a single address or DNS?
I hope that you Pro's have a better way to archive this..

Otherwise i could life with it but just wanted to ask before i type and resolve several IPs to DNS.

thanks!
A
Title: Re: DNS wildcards in Alias (Hosts)
Post by: chropnsense on January 27, 2022, 06:43:26 PM
Hi,

I'm also wondering, if this is possible or not (in pfSense it is not it seems). I just got the task to evaluate OPNSense and this is more or less a show stopper, if not possible to e.g. allow only MS Updates based on wildcard DNS:
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-connection-from-the-wsus-server-to-the-internet

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://dl.delivery.mp.microsoft.com
https://dl.delivery.mp.microsoft.com

Windows update here only as an example (could use WSUS), but also other use cases where need to allow CDN type *.domain.com

Edit: if not out-of-the-box possible, would it be possible to use cron and dnsmasq to poll through a list say once an hour (if that wildcard doesn't need to be resolved real time) and then use that IP list in an alias or similar?
Title: Re: DNS wildcards in Alias (Hosts)
Post by: Pfirepfox on November 16, 2022, 01:02:11 PM
Also curious about this, i have a number of hosts to insert and wildcard support would be great
Title: Re: DNS wildcards in Alias (Hosts)
Post by: franco on November 16, 2022, 03:59:15 PM
In the mid-term Unbound blocklists will be able to run pattern matching with the switch to Python backend, but to my knowledge it's impossible to derive all IP addresses from all (unknown) subdomains as an alias in the firewall.


Cheers,
Franco
Title: Re: DNS wildcards in Alias (Hosts)
Post by: Shayoo on December 19, 2024, 01:49:47 PM
Hi, there,

The post is old, but I'll take the liberty of replying to it as I've been faced with the same problem. I was able to solve it based on other forum user entries.
Unfortunately it requires some tweaking to use wildcard domains.

References
- https://github.com/opnsense/core/issues/4145
- https://gist.github.com/PiDroid-B/078198bc84c1e8451d5fd331b46b332d

1. Create Aliases for Each wildcard

For each domain that uses a wildcard, create two aliases "External (advanced)" (e.g., _a and _b).
Then create a "Host(s)" alias containing the two externals created above.

Example Aliases for Multiple Domains:

- Microsoft_IPs_a External (advanced)
- Microsoft_IPs_b External (advanced)
- Microsoft_IPs Host(s)

2. Configure DNSMASQ on Port 53530


Edit the DNSMASQ Configuration File

Access the firewall via CLI/SSH and edit the DNSMASQ configuration:

Code Select
vi /usr/local/etc/dnsmasq.conf.d/dnsmasq-ipset.conf
Example Configuration File:
Replace the domain names and alias names with those relevant to your environment.

Code Select
# Add the response for certain A/AAAA lookups to an OPNsense alias
ipset=/microsoft.com/windowsupdate.com/windows.net/Microsoft_IPs_a,Microsoft_IPs_b

# Uncomment these if Unbound is still your primary DNS server; otherwise, it may cause a loop
no-resolv
server=1.1.1.2
server=1.0.0.2
server=9.9.9.9
server=149.112.112.112
3. Configure Unbound DNS to Use DNSMASQ for specific domain resolution

Unbound DNS will forward specific queries to DNSMASQ to handle the aliases.
Navigate to Services > Unbound DNS > Overrides and create an entry in "Domain Overrides".

Example Entry:

Domain: microsoft.com
IP: 127.0.0.1@53530

Domain: windowsupdate.com
IP: 127.0.0.1@53530

Domain: windows.net
IP: 127.0.0.1@53530

4. Create a Cron Job to Flush Alias Entries

To prevent aliases from growing indefinitely and containing obsolete data, set up a cron job to flush the alias entries periodically (e.g., every 48 hours).
Create the Action Configuration File

Code Select
vi /usr/local/opnsense/service/conf/actions.d/actions_alias-flush.conf
Add the Following Content:**

Code Select
[flush]
command:/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables_blk.lock /usr/home/alias-flush.sh
parameters: %s
type:script_output
message:Alias IPs flushed
description:Flush IPs from alias
Reload the system to make the cron job task appear

Code Select
service configd restart
5. Create the Flush Script

This script will handle flushing the IPs from the specified alias.

Code Select
vi /usr/home/alias-flush.sh
Add the Following Content:

Code Select
#!/bin/sh
# Check if the alias name is provided as a parameter
if [ -z "$1" ]; then
    echo "Error: No alias name provided."
    exit 1
fi

ALIAS_NAME="$1"

pfctl -t "$ALIAS_NAME" -T flush

if [ $? -eq 0 ]; then
    echo "Alias '$ALIAS_NAME' flushed successfully."
    exit 0
else
    echo "Error while flushing alias '$ALIAS_NAME'."
    exit 1
fi
Make the Script Executable

Code Select
chmod 755 /usr/home/alias-flush.sh

6. Schedule the Cron Jobs for Each Alias

Create cron job for each alias to flush them alternately (e.g., *_a` and *_b`) every 48 hours.
This rotation ensures that the aliases do not accumulate obsolete data.

Example Cron jobs:
Code Select
enabled: Check
Minutes: 4
Hours: 3
Days of the months: *
Months: *
Days of the week: 1,3,5,7
Command: Flush IPs from alias
Parameters: Microsoft_IPs_a (Must be the exact name of you external alias)
Description: Flush -  Microsoft_IPs_a


Code Select
enabled: Check
Minutes: 5
Hours: 3
Days of the months: *
Months: *
Days of the week: 2,4,6
Command: Flush IPs from alias
Parameters: Microsoft_IPs_b (Must be the exact name of you external alias)
Description: Flush - Microsoft_IPs_b
7. Configure Firewall Rules Using the Aliases

Create firewall rules based on your requirements and use the combined aliases.
When users perform DNS resolutions, the aliases will dynamically populate with the relevant IPs.

If Unbound has a cached resolution, the request might not be forwarded to DNSMASQ, preventing the client from communicating with the desired IP.
To resolve this issue, restart the Unbound service to clear the cache.


Text only | Text with Images