Netgate SG-1000 microFirewall

Author Topic: Limit AAAA name resolution for specific hosts  (Read 322 times)

0 Members and 1 Guest are viewing this topic.

Offline pbnet

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +0/-0
    • View Profile
Limit AAAA name resolution for specific hosts
« on: December 11, 2017, 12:38:37 am »
Hello,

I have an O365 subscription with Microsoft, and Skype for Business 2016 is not connecting when using a dual-stack machine (aka IPv4 and IPv6).
After 4 months of troubleshooting with Microsoft, they still have no clue on how to fix the issue, and, honestly, I'm getting tired on troubleshooting by myself.
Is there a way I can limit the AAAA resolution for Webdir.online.lync.com so that the name could only be resolved on IPv4?
Did anyone done such a limitation on PFSense 2.4.2 ?

Thanks a lot,
Andy.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15737
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #1 on: December 11, 2017, 03:05:06 am »
Are you using forwarder or resolver in pfsense? dnsmasq or unbound?

In unbound custom option box
local-data: "Webdir.online.lync.com IN AAAA ::"

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline pbnet

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +0/-0
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #2 on: December 11, 2017, 07:26:35 am »
I think it's DNSMasq.
dnsmasq  DNS Forwarder  .

As far as it looks it's a forwarder using DNSMasq.

Any ideas ?

Thanks.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15737
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #3 on: December 11, 2017, 07:58:06 am »
the default is the resolver.. why would you be using the forwarder?  But sure you can do the same sort of thing in forwarder.

In the dnsmasq.conf

server=/Webdir.online.lync.com/#
address=/Webdir.online.lync.com/::

should be able to put that in the custom options.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline pbnet

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +0/-0
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #4 on: December 11, 2017, 12:59:23 pm »
Thanks a lot johnpoz.
Works like a charm now.

Offline pbnet

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +0/-0
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #5 on: December 26, 2017, 03:09:54 pm »
Sorry to re-open the thread.
I've switched to DNS Resolver and unbound.
How do I make the same settings with unbound (DNS Resolver) ?

Thanks.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15737
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #6 on: December 26, 2017, 09:10:43 pm »
Gave you that answer in my first post ;)

In unbound custom option box
local-data: "Webdir.online.lync.com IN AAAA ::"

You most likely will need server: above that..  See screen shot..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline pbnet

  • Jr. Member
  • **
  • Posts: 63
  • Karma: +0/-0
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #7 on: December 27, 2017, 03:45:49 am »
Thanks a lot!!! (again :) )

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15737
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Limit AAAA name resolution for specific hosts
« Reply #8 on: December 27, 2017, 04:23:40 am »
You can do it in the gui too... Just a simple host override.

Which should work for both the forwarder or unbound.  Just set it in which one your using..  The command way would be for sure easier if you wanted to block a whole bunch of hosts.. There is a way to do it for a whole domain as well with unbound  python script..  There is a thread around here about that method to fix netflix over HE I think was the problem they were looking to correct with that method.

edit:  Here is link to that thread about unbound python script.. Works..  So that is another option for you.
https://forum.pfsense.org/index.php?topic=134352.msg737158#msg737158
« Last Edit: December 27, 2017, 04:26:42 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)