Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Adaptive Aliases Resolve Interval Best Practice
« previous
next »
Print
Pages: [
1
]
Author
Topic: Adaptive Aliases Resolve Interval Best Practice (Read 384 times)
mooh
Jr. Member
Posts: 94
Karma: 3
Adaptive Aliases Resolve Interval Best Practice
«
on:
May 21, 2024, 03:58:42 pm »
Hi *
In recent years I have noticed that a good number of sites resolve their names to DNS address records with a short TTL, like 60 seconds or less, and changing every time. Looks like attempts at load-balancing to me.
I use network segmentation a lot and so I have a number of aliases in my firewall rules to keep things crisp. Using these names however, means that the address of those sites has changed when clients on my network resolve them as compared to the time the alias was last refreshed and so the firewall rules block the traffic.
Of course I can refresh the aliases very frequently to reduce the chances of reaching TTLs before refreshing aliases but that seems to be a big waste to me. Instead, it would be best to refresh aliases based on the TTL of the DNS responses. Is there a way to achieve this in OPNsense?
Other than that, dnsmasq has a feature to run scripts based on the response record it receives. So, technically, one could write a script adding pf rules based on DNS resonses. But that looks like a security incident waiting to happen to me, even when restricted to DNSsec.
So, how do you folks deal with this kind of situation?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Adaptive Aliases Resolve Interval Best Practice