Other Solution for non blocking renewal of resolved hostname tables in firewalls.

getopt · Apr 27, 2023

I’m looking for a solution that can keep track of hostnames with changing IPs and keeps in sync with TTL.

Phishfry · Apr 29, 2023

Sorry for the stupidity. I had to look up what you were talking about:

What is DNS TTL + Best Practices

This article covers the topic of DNS TTL (time to live), best practices all aspects surrounding implementation.

www.varonis.com

dig records and store in syslog or syslog-ng? Is that roughly what you want? Keep track how? Archived?

getopt · Apr 29, 2023

If you have to allow outbound access to a list of hostnames in a firewall rule you have a problem when they change their IPs in a way that you cannot predict anymore.
While allowing a not too large address range may be solution, it is often not.

So how to synchronize changing IPs with firewall rules?

You could try to resolve lists say every 10 minutes and feed the resolved IPs in firewall tables. You could try to increase the frequency and run into problems that processing takes too much time.

What works is using the TTL to resolve just in time those which need an update. Which firewall or which utility does provide such feature which is keeping track of resolving given hostnames and update the rules?

zirias@ · Apr 29, 2023

Well, now I understand the question

Unfortunately, I'm not aware of any tool doing that. I would expect to keep this outside the firewall (after all, it's a different concern, the firewall should operate on the routing/transport layer I guess, so it makes sense that names are just resolved once when loading a set of rules or a table ...). But then, there's an interface for dynamically updating tables, so one could imagine a separate daemon keeping that updated based on names, maybe something like that exists?

getopt said:
You could try to resolve lists say every 10 minutes and feed the resolved IPs in firewall tables. You could try to increase the frequency and run into problems that processing takes too much time.

I'm not even sure this would be a problem in practice? If you just use the system's resolver, this already takes TTL into account and will answer from its local name service cache if possible?

Jose · Apr 29, 2023

At least pf(4) does not work that way.

Host name resolution and interface to address translation are done at ruleset load-time. When the address of an interface (or host name) changes...the ruleset must be reloaded for the change to be reflected in the kernel.

pf.conf(5)

man.freebsd.org

You'd have to write a script that reloads the rules as often as your lowest TTL to ensure you don't have stale IP addresses.

yuripv79 · Apr 29, 2023

zirias@ said:
one could imagine a separate daemon keeping that updated based on names

I did exactly that (imagine, I mean), and the first name that came to mind is, well, firewalld!

Other Solution for non blocking renewal of resolved hostname tables in firewalls.

getopt

␢

Phishfry

What is DNS TTL + Best Practices

getopt

␢

zirias@

Jose

pf.conf(5)

yuripv79