pfSense

A somewhat related recent discussion http://forum.pfsense.org/index.php/topic,38741.0.html

For this to be useful or "complete" it would need a hybrid approach. You can't be sure that the spf record will also give you access to the google search and apps platforms.

I frequently run into this as well.

The idea of allowing a ASN number for firewall rules is tempting though, the easiest way to access this in a reasonably light fashion is by consulting a route-server that can give you all the networks.

This includes v6 and would make it worthwile. Pretty sure that route-servers have policies forbidding you to use it. I'd look into a package to see if that can work.

.. more thoughts. We could dump the ASN numbers to plain txt files to be picked up off a pfsense server or mirror. This could be done on a daily or hourly basis, as long as we have access to a route-server.
Another thought that just occured is that this would work really well for google, but not quite so well for other non content networks. Granular it isn't

"We could dump the ASN numbers to plain txt files to be picked up off a pfsense server or mirror"

Right, that would be another viable option, much like the /etc/rc.update_bogons.sh does for bogons.

Actually there are a number of txt files containing IP ranges in CIDR notation that could be added to pfSense (and I've seen them being used in other software firewalls) with scripts very much like the rc.update_bogons.sh-script, e.g. the lists by dshield.org or spamhaus.org e.g.

http://www.spamhaus.org/drop/drop.lasso
DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny subset of the SBL designed for use by firewalls and routing equipment.

DShield's current Most Active Attacking IPs
http://feeds.dshield.org/top10-2.txt
(Same data as is used on DShield.org Top 10 Most Wanted.)
0 = IP Address, 1 = Resolved domain of IP Address

etc

And such a targeted approach is much better than blocking entire countries, as some people do.

Lists like that can be added as URL table aliases in 2.0 (though the code may need adjusting so it only grabs the first parameter of the line in those format files). URL Table Aliases are aliases pointed at an arbitrary URL that contains a text list of CIDR networks, then you can use that alias in firewall rules however you like. The list is updated periodically.

The only option here is to create a transparent proxy for dns and hook that up with daemons as filterdns.
All other options will have their drawbacks.

Sure if you would want to "cover all the bases" you'd need to monitor DNS traffic and add IPs to the passthrough list, however for starters it could be something much simpler, like an enhanced version of /etc/rc.update_urltables with the changes that jimp mentioned (BTW note that the "Update Freq." option is inactive in firewall_aliases_edit.php in 2.0REL).

I do not like that since you cannot draw the line what is more important and what is to skip.