Firewall rule not working as expected

[adk20]

Dear forum,

I'm a bit puzzled.

I have a firewall deny rule that blocks access to a particular domain by means of an alias that I have created for that domain.

The rule has been working fine for months. Then I observed that the domain is accessible all of a sudden. I didn't touch the firewall config. For debugging purposes, I enabled logging for the rule in question and, voila, the rule works again as it should.

Any hints are much appreciated.

Thanks,
adk

[clarknova]

When you use a domain name for an alias, OPNsense will do a DNS lookup on that name and then store the resolved IP address(es) for that alias. Some sites have many IP addresses, and not all of these will be returned on a DNS lookup. So when a local host tries to access the domain in question, it will do a DNS lookup and may get an address back that doesn't match the address in the firewall's alias, and so access to that site is not blocked.

If you need to block a domain with OPNsense, you can do multiple DNS lookups and add all of the returned IP addresses to your alias. Another option would be to have your DNS service return 127.0.0.1 for that domain. You may have other options through upper-layer filters such as suricata or some plugin.

[Saarbremer]

Hi,

DNS aliases can be periodically updated when use URL tables.
https://docs.opnsense.org/manual/aliases.html#url-tables

For more complex domains with a lot of subdomains or CDNs involved you may want to look into DNS based blocking or an HTTPS proxy.