OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: JasMan on September 13, 2019, 06:09:37 pm

Title: DNS mismatch firewall alias table and host query
Post by: JasMan on September 13, 2019, 06:09:37 pm
Hey,
I've a question regarding firewall rules, DNS and host aliases.

I would like to allow an internal host to talk to an external host. Therefore I created an host alias with the FQDN of the external host, and added it to the firewall rule as destination.
The firewall did an DNS query for this external host alias and saved the resolved IP addresses to its pfTables.

Now the internal host tries to connect to the external host. He does an DNS query and got different IP addresses than the firewall has got for the host alias. Means the rule doesn't match, and the internal host is not able to connect to the external host.

I did some nslookups for the external host, and nearly every second query I got back different IP addresses.

What would be the best way to solve this? Should I create an alias with all the resolved IP addresses? I count over 20 different addresses.


Jas
Title: Re: DNS mismatch firewall alias table and host query
Post by: ruffy91 on September 13, 2019, 06:19:42 pm
The technically correct method for the OPNSense would be to cache the alias IPs for the ttl of the DNS entry and also add the IPs that clients resolve on the OPNSense on the fly (maybe using passivedns?)

Your solution will be to use the vendor website or the reverse DNS of the IPs to find out if the CDN provider also has a DNS A record that includes all the IPs wich server this website and use it for your alias.
Title: Re: DNS mismatch firewall alias table and host query
Post by: JasMan on September 13, 2019, 10:05:04 pm
@ruffy91: Cool, thank you for your quick response.

The CDN is Amazons Cloudfront.net. I'm not sure how a CDN exactly works. But I guess the source I want to access can move to any other IP of this CDN. So I've searched for the ASN ID and created an URL IP table alias with the query link:

http://asn.blawk.net/16509

Wow, that are a lot of addresses. But better than allowing the client to access the whole Internet.
Title: Re: DNS mismatch firewall alias table and host query
Post by: ruffy91 on September 14, 2019, 08:32:36 am
Most of the time the CDN providers also give their customers an A record which contains only the IPs that are used to server their content.

Edit:
Cloudfront has a list as json:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html

Edit2:
I think the correct way to implement this kind of filtering would be using the proxy and only whitelist the required URLs.
Title: Re: DNS mismatch firewall alias table and host query
Post by: JasMan on September 14, 2019, 01:59:57 pm
I also found the json list, but I'm not sure how to import it to an alias.

To use the proxy is an good idea too. But I would prefer an with the needed ranges.