DNS wildcards in Alias (Hosts)

Started by ArminF, February 04, 2020, 09:01:14 PM

Previous topic - Next topic
Greetings,
took a search before i posted as it did not ended with a good result.

Want to migrate my XG and later my UTM to OPNSense and installed a VM to prepare and cleanup my "old mess" to start with something fresh.

Recognized to use as much Aliases in the Firewall as possible to set groups and services together.
As i do have a lot of external WAN connection into the company from home i wanted to create some DNS wildcards.
Like *.company.com and so on. But was not able to archive it.
Do i really have to enter all in a single address or DNS?
I hope that you Pro's have a better way to archive this..

Otherwise i could life with it but just wanted to ask before i type and resolve several IPs to DNS.

thanks!
A
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!

January 27, 2022, 06:43:26 PM #1 Last Edit: January 27, 2022, 07:17:40 PM by chropnsense
Hi,

I'm also wondering, if this is possible or not (in pfSense it is not it seems). I just got the task to evaluate OPNSense and this is more or less a show stopper, if not possible to e.g. allow only MS Updates based on wildcard DNS:
https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-connection-from-the-wsus-server-to-the-internet

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://dl.delivery.mp.microsoft.com
https://dl.delivery.mp.microsoft.com

Windows update here only as an example (could use WSUS), but also other use cases where need to allow CDN type *.domain.com

Edit: if not out-of-the-box possible, would it be possible to use cron and dnsmasq to poll through a list say once an hour (if that wildcard doesn't need to be resolved real time) and then use that IP list in an alias or similar?

Also curious about this, i have a number of hosts to insert and wildcard support would be great

In the mid-term Unbound blocklists will be able to run pattern matching with the switch to Python backend, but to my knowledge it's impossible to derive all IP addresses from all (unknown) subdomains as an alias in the firewall.


Cheers,
Franco

December 19, 2024, 01:49:47 PM #4 Last Edit: December 19, 2024, 01:55:03 PM by Shayoo Reason: content spacing
Hi, there,

The post is old, but I'll take the liberty of replying to it as I've been faced with the same problem. I was able to solve it based on other forum user entries.
Unfortunately it requires some tweaking to use wildcard domains.

References
- https://github.com/opnsense/core/issues/4145
- https://gist.github.com/PiDroid-B/078198bc84c1e8451d5fd331b46b332d

1. Create Aliases for Each wildcard

For each domain that uses a wildcard, create two aliases "External (advanced)" (e.g., _a and _b).
Then create a "Host(s)" alias containing the two externals created above.

Example Aliases for Multiple Domains:

- Microsoft_IPs_a External (advanced)
- Microsoft_IPs_b External (advanced)
- Microsoft_IPs Host(s)

2. Configure DNSMASQ on Port 53530

  •   Navigate to Services > DNSMASQ in the OPNsense web interface.
  •   Set DNSMASQ to listen on port `53530`.

Edit the DNSMASQ Configuration File

Access the firewall via CLI/SSH and edit the DNSMASQ configuration:

vi /usr/local/etc/dnsmasq.conf.d/dnsmasq-ipset.conf
Example Configuration File:
Replace the domain names and alias names with those relevant to your environment.

# Add the response for certain A/AAAA lookups to an OPNsense alias
ipset=/microsoft.com/windowsupdate.com/windows.net/Microsoft_IPs_a,Microsoft_IPs_b

# Uncomment these if Unbound is still your primary DNS server; otherwise, it may cause a loop
no-resolv
server=1.1.1.2
server=1.0.0.2
server=9.9.9.9
server=149.112.112.112

3. Configure Unbound DNS to Use DNSMASQ for specific domain resolution

Unbound DNS will forward specific queries to DNSMASQ to handle the aliases.
Navigate to Services > Unbound DNS > Overrides and create an entry in "Domain Overrides".

Example Entry:

Domain: microsoft.com
IP: 127.0.0.1@53530

Domain: windowsupdate.com
IP: 127.0.0.1@53530

Domain: windows.net
IP: 127.0.0.1@53530

4. Create a Cron Job to Flush Alias Entries

To prevent aliases from growing indefinitely and containing obsolete data, set up a cron job to flush the alias entries periodically (e.g., every 48 hours).
Create the Action Configuration File

vi /usr/local/opnsense/service/conf/actions.d/actions_alias-flush.conf
Add the Following Content:**

[flush]
command:/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables_blk.lock /usr/home/alias-flush.sh
parameters: %s
type:script_output
message:Alias IPs flushed
description:Flush IPs from alias

Reload the system to make the cron job task appear

service configd restart
5. Create the Flush Script

This script will handle flushing the IPs from the specified alias.

vi /usr/home/alias-flush.sh
Add the Following Content:

#!/bin/sh
# Check if the alias name is provided as a parameter
if [ -z "$1" ]; then
    echo "Error: No alias name provided."
    exit 1
fi

ALIAS_NAME="$1"

pfctl -t "$ALIAS_NAME" -T flush

if [ $? -eq 0 ]; then
    echo "Alias '$ALIAS_NAME' flushed successfully."
    exit 0
else
    echo "Error while flushing alias '$ALIAS_NAME'."
    exit 1
fi

Make the Script Executable

chmod 755 /usr/home/alias-flush.sh

6. Schedule the Cron Jobs for Each Alias

Create cron job for each alias to flush them alternately (e.g., *_a` and *_b`) every 48 hours.
This rotation ensures that the aliases do not accumulate obsolete data.

Example Cron jobs:
enabled: Check
Minutes: 4
Hours: 3
Days of the months: *
Months: *
Days of the week: 1,3,5,7
Command: Flush IPs from alias
Parameters: Microsoft_IPs_a (Must be the exact name of you external alias)
Description: Flush -  Microsoft_IPs_a


enabled: Check
Minutes: 5
Hours: 3
Days of the months: *
Months: *
Days of the week: 2,4,6
Command: Flush IPs from alias
Parameters: Microsoft_IPs_b (Must be the exact name of you external alias)
Description: Flush - Microsoft_IPs_b

7. Configure Firewall Rules Using the Aliases

Create firewall rules based on your requirements and use the combined aliases.
When users perform DNS resolutions, the aliases will dynamically populate with the relevant IPs.

If Unbound has a cached resolution, the request might not be forwarded to DNSMASQ, preventing the client from communicating with the desired IP.
To resolve this issue, restart the Unbound service to clear the cache.