OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: unipacket on December 04, 2018, 03:08:26 pm

Title: DNS Alias
Post by: unipacket on December 04, 2018, 03:08:26 pm

EDIT: This may be a similar question -  https://forum.opnsense.org/index.php?topic=10501.0


Hi,  Another question about alias and firewall rules.  I'm experimenting with rules and was wondering if it's possible to block traffic by using an dns alias.  For example, if I wanted to block all traffic to google.com except 443 TCP, I create the following rules:

Rule 1:
Source: Internal
Source Port: Any
Source Protocol: Any
Destination: google.com  <-- Alias
Destination Port: 443
Destination Protocol: TCP
Action: Allow

Rule 2:
Source: Internal
Source Port: Any
Source Protocol: Any
Destination: google.com  <-- Alias
Destination Port: Any
Destination Protocol: Any
Action: Block

Will the alias for google.com auto resolve all IPs for google.com?

I tried searching the forum and docs but did not find much.  One bit of information I did find from the pfsense docs is below but I was unsure if this also applies to opnsense.  If the aliases function the same in both products, I'm thinking this might not be possible with just firewall rules unless I manually find all IPs for google.com

https://www.netgate.com/docs/pfsense/firewall/blocking-websites.html

Quote

Using Firewall Rules

If a website rarely changes IP addresses, access to it can be blocked using firewall rules. This is not a feasible solution for sites that return low TTLs and spread the load across many servers and/or datacenters, such as Google and similar very large sites. Most small to mid sized websites can be effectively blocked using this method as they rarely change IP addresses.

A hostname may be entered in a network alias, and then that alias may be applied to a block rule. Note the hostname will only be resolved every 5 minutes, but that may be changed under System > Advanced on the Firewall/NAT tab (Aliases Hostnames Resolve Interval).

Another option is finding all of a site’s IP blocks, creating an alias with those networks, and blocking traffic to those destinations. This is especially useful with sites such as Facebook that spread large amounts of IP space, but are constrained within a few net blocks.