On Wednesday, September 07, 2011 11:13 PM, "Theo de Raadt" <dera...@cvs.openbsd.org> wrote: > > > > How does PF update a table with hostnames resolved by round-robin > > DNS? Is it just the first DNS response that is added to the table, > > or multiple DNS responses? > > pf doesn't do this, since it is in the kernel. pf only knows about > addresses. It does not know about hostnames. > > pfctl is what is doing this; so this DNS translation happens when you > run pfctl. So it depends on whether your pf.conf is dynamically > adding it each time you run it. And if you only run pfctl once... > > > For example, is it possible to block a well-known social networking > > site which resolves to multiple IP addresses, using a PF table > > <socialnet> with just the hostname of the website? > > No. What you want is to expand to all of the addresses. Since > address keep being added for such hostnames on the fly, it won't work.
Thank you Theo.
