hi ok try to explain how it works
after i resolve an name , i got one or more ips they add to the pf table by pfctl -ttablename -Tadd resolvedip(s) all these ips have an internal expire time . i compare this time on any interval with the current time . if the get the tame ip from the resolve i renew the expiretime tu courrent. if i never get the same ip again the delete the ip from pf table afer the expiretime is over. i run the daemon with an expire time from 4 hours and it works fine. addional i drop the internal ip list to a file that you can use for a reload of the firewall rules. it dosen't matter if you have an name that change the ip quickly ( DNS TTL 30 for example ) , or the dns reponse have multiple ip addresses. i hope the explanation make clear what i do with the deamon. holger p.s. excuse my ugly english > On 9 September 2011 08:54, Holger Glaess <gla...@glaessixs.de> wrote: >> hi >> >> i wrote a perl daemon to handle all these situations. >> >> he resolv the servername and add or delete the ip(s) to an spezific >> table. >> >> maybe it's time to work on a package for ports. >> >> holger > > Maybe I'm terribly confused (so bear with me), but isn't the trouble > with these round-robin DNS CDN type of situations that most near any A > record resolution request is likely to return a different IP address > than before? So given that, how would updating your pf.conf (table) > with a given IP (even a few given IPs) do any good if you're not also > running a proxy server or DNS server? > > I mean, wouldn't this just cause your Perl daemon to dutifully update > a table for, say, hostname.tld to IP w.x.y.z, only to have the next > client just moments later get a response of IP a.b.c.d from the remote > DNS server? Which at that point in time wouldn't be covered by your PF > table/rules at all? > > Am I terribly confused? What am I missing? > > regards, > --ropers
