Bug #4124
closedAlias FQDNs don't permit trailing period
0%
Description
On page
https://pfsense/firewall_aliases_edit.php?id=xx
for alias type network(s) entering an FQDN with trailing period is rejected with a syntax error.
Bug exists in 2.1.5 too.
Updated by Phillip Davis about 10 years ago
Yes, that is annoying for people who want/like/need to put the correct whole FQDN, including the root domain ".".
e.g. I have an internal domain "net.companyname.org." and inside that there might be "abc.net.companyname.org."
But there is also a real site "abc.net."
When I am sitting on a client in "companyname.org." (default domain suffix is "companyname.org.") and ask for "abc.net" it can give me "abc.net.companyname.org." or "abc.net." - it is ambiguous. In that case I want to explicitly specify "abc.net." to get the outside site.
So, IMHO, pfSense should allow the final "." also, to avoid any ambiguous situations there may be (e.g. when there is a pfSense inside an intranet that does DNS out through an upstream company device that might turn "abc.net" into "abc.net.mycompany.org" or...
Looking at the allowable syntax of is_hostname and is_domain in /etc/inc/util.inc, I think the same set of strings can be host or domain name - just with the exception of "aaa." form (I do not think it is allowed to have a host directly in the root domain "."?)
References like browsing to "//abc.net.:80" work OK - functions like is_hostnamewithport() would end up validating true "abc.net.:80) - but that should all work.
Other code that asks for separated host name and domain name in 2 fields (DNS Forwarder/Resolver add host override is an example) already validates with is_unqualified_hostname() which rejects putting any "." in there. So a change to is_hostname() does not break that.
I tried allowing the "." at the end in an Alias, and I get a good pf table with the correct IP addresses looked up.
Updated by Phillip Davis about 10 years ago
I made pull request https://github.com/pfsense/pfsense/pull/1394
That solution enables the validation of things like "myhost.com." "myhost.mycompany.com." and NOT "myhost." in is_hostname()
That enables generic validation of this throughout the pfSense code. I can't think of how this will break stuff, and it certainly works OK for Alias entry that I tested. But there might be a lot of things to test to make sure that anywhere the trailing dot can now be entered, it also works.
Updated by Chris Buechler about 10 years ago
- Status changed from New to Feedback
- Target version set to 2.2
- Affected Version changed from 2.2 to All
pull request merged. seems fine, leaving for now for further testing.
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Resolved
all seems fine here