Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
DNS mismatch firewall alias table and host query
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNS mismatch firewall alias table and host query (Read 2717 times)
JasMan
Full Member
Posts: 175
Karma: 9
DNS mismatch firewall alias table and host query
«
on:
September 13, 2019, 06:09:37 pm »
Hey,
I've a question regarding firewall rules, DNS and host aliases.
I would like to allow an internal host to talk to an external host. Therefore I created an host alias with the FQDN of the external host, and added it to the firewall rule as destination.
The firewall did an DNS query for this external host alias and saved the resolved IP addresses to its pfTables.
Now the internal host tries to connect to the external host. He does an DNS query and got different IP addresses than the firewall has got for the host alias. Means the rule doesn't match, and the internal host is not able to connect to the external host.
I did some nslookups for the external host, and nearly every second query I got back different IP addresses.
What would be the best way to solve this? Should I create an alias with all the resolved IP addresses? I count over 20 different addresses.
Jas
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
ruffy91
Jr. Member
Posts: 79
Karma: 9
Re: DNS mismatch firewall alias table and host query
«
Reply #1 on:
September 13, 2019, 06:19:42 pm »
The technically correct method for the OPNSense would be to cache the alias IPs for the ttl of the DNS entry and also add the IPs that clients resolve on the OPNSense on the fly (maybe using passivedns?)
Your solution will be to use the vendor website or the reverse DNS of the IPs to find out if the CDN provider also has a DNS A record that includes all the IPs wich server this website and use it for your alias.
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: DNS mismatch firewall alias table and host query
«
Reply #2 on:
September 13, 2019, 10:05:04 pm »
@ruffy91: Cool, thank you for your quick response.
The CDN is Amazons Cloudfront.net. I'm not sure how a CDN exactly works. But I guess the source I want to access can move to any other IP of this CDN. So I've searched for the ASN ID and created an URL IP table alias with the query link:
http://asn.blawk.net/16509
Wow, that are a lot of addresses. But better than allowing the client to access the whole Internet.
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
ruffy91
Jr. Member
Posts: 79
Karma: 9
Re: DNS mismatch firewall alias table and host query
«
Reply #3 on:
September 14, 2019, 08:32:36 am »
Most of the time the CDN providers also give their customers an A record which contains only the IPs that are used to server their content.
Edit:
Cloudfront has a list as json:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html
Edit2:
I think the correct way to implement this kind of filtering would be using the proxy and only whitelist the required URLs.
«
Last Edit: September 14, 2019, 08:40:11 am by ruffy91
»
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: DNS mismatch firewall alias table and host query
«
Reply #4 on:
September 14, 2019, 01:59:57 pm »
I also found the json list, but I'm not sure how to import it to an alias.
To use the proxy is an good idea too. But I would prefer an with the needed ranges.
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
DNS mismatch firewall alias table and host query