Bug #7958
closed
Upgrade 2.4.0: IP alias with FQDN doesn't work any more
Added by Grischa Zengel over 6 years ago. Updated over 4 years ago.
0%
Description
I'm not alone with this problem so I decide to open a issue an this:
https://forum.pfsense.org/index.php?topic=138179.0
Updated by Jim Pingle over 6 years ago
- Status changed from New to Not a Bug
- Priority changed from High to Normal
It works fine here on several firewalls and there is nowhere near enough detail here or on the linked thread to suggest a bug. We rely heavily on this functionality internally and if it was actually broken, everything would have ground to a halt. Please discuss it more on the thread and post more information about the alias, rules, DNS setup, log entries from filterdns, contents of the alias on Diag > Tables, etc.
Updated by Grischa Zengel over 6 years ago
Some more info:
I'm using Domain Overrides.
I put www.google.de and a host from my Domain Overrides into a table and only 2 google IPs (ipv4 + ipv6) are in this table.
Could it be, that you ignore non-authoritative answers. Or you queries the wrong DNS?
Updated by Jim Pingle over 6 years ago
You cannot rely on alias resolution for domains which return random sets of addresses. That will never work properly as clients will get a different random result from the firewall. It is not intended to, nor can it, work that way.
Updated by Grischa Zengel over 6 years ago
It was a test with google ...
The point is, that the other address are not shown.
And before update it worked as expected.
Updated by Jim Pingle over 6 years ago
If it ever worked, it was by luck alone.
When I try to resolve www.google.de, I only receive two responses (one IPv4, one IPV6), no matter which DNS server I query, and the answers differ depending on which server I try.
There is no bug here, please keep the discussion on the forum.
Updated by Grischa Zengel over 6 years ago
OK. Now have a look at the forum.
It looks like filterdns stops working and after a big change a second one will be started.
Updated by Snarf Attack about 6 years ago
I have the same issue. filterdns appears to hang and must be killed for this to function. If not, any host based alias fails to function entirely. If I mix IPs and FQDNs in an alias list, it fails to populate the table with anything.
Updated by Edgardo Rodriguez about 6 years ago
Hi,
I am also having the same issue, and it's quite annoying...
In my case, filterdns keeps running but in a "dumb" state:
I have this alias for example
INTERNET_ALLOWED_DST test.com,test1.com
But when going to Diagnostics>Tables, that table only shows the IP of "test1.com".
IF I send a SIGHUP to the running filterdns process It makes this:
Feb 26 15:23:21 serverc filterdns: adding entry 69.172.200.235 to pf table INTERNET_ALLOWED_DST for host test.com
Feb 26 15:23:29 serverc filterdns: clearing entry 69.172.200.235 from pf table INTERNET_ALLOWED_DST on host test.com
As soon as the entries are added, they are inmediatly removed.
The only partial resolution is to kill running instance, and start a brand new one, after a few days the same will happen, and so on....
Running PFSense 2.4.2.
Updated by Edgardo Rodriguez about 6 years ago
Edgardo Rodriguez wrote:
Hi,
I am also having the same issue, and it's quite annoying...
In my case, filterdns keeps running but in a "dumb" state:
I have this alias for exampleINTERNET_ALLOWED_DST test.com,test1.com
But when going to Diagnostics>Tables, that table only shows the IP of "test1.com".
IF I send a SIGHUP to the running filterdns process It makes this:Feb 26 15:23:21 serverc filterdns: adding entry 69.172.200.235 to pf table INTERNET_ALLOWED_DST for host test.com
Feb 26 15:23:29 serverc filterdns: clearing entry 69.172.200.235 from pf table INTERNET_ALLOWED_DST on host test.comAs soon as the entries are added, they are inmediatly removed.
The only partial resolution is to kill running instance, and start a brand new one, after a few days the same will happen, and so on....
Running PFSense 2.4.2.
Aditional info... Seems to be related to PFBlockerNG in my case. Since removing that pkg, it´s no longer behaving like this, also while PFBlockerNG runs, filterdns process seems to receive many SIGHUPS until finally stays in a dumb state...
Updated by Robert Gijsen about 5 years ago
We're running 2.4.4-RELEASE-p2 (amd64), but the issue is still there for us. Over the last two weeks I've had two occurances of strange issues, people being unable to connect and such, and it turned out SOME of the aliasses weren't resolved. So far the only thing that helps is killing filterdns as people suggested. I see it's still classified as no bug, but I think too many people have reported this now.
Updated by Jim Pingle about 5 years ago
filterdns has been rewritten since this bug report. If there is an issue now, it is likely covered by #9296
Updated by Netnewb net over 4 years ago
I believe this one's different from #9296 . I've 2 x 2.4.4-p3 in different locations but with similar configs and I'm affected by this bug, much the same way other posters above describe it with one difference: I have to look for aliases with dead FQDNs and delete them. Then, the restart filterdns to properly updates filterdns tables.
Steps to reproduce:- Create DHCP static mapping
- Create Alias with FQDN for the static mapping created above
- Delete DHCP static mapping
- creating or editing aliases from now on won't update filterdns entries for the aliases until I delete the Alias from step 2. I can see the entry in Diagnostics - Tables, but no IPs. restarting filterdns or pfsense doesn't update the tables until I delete the dead alias.
- Using Domain overrides
- Registering leases in DHCP resolver
- using (mostly internal) FQDNs in Aliases