In Firewall Builder, when you use the DNS Object and set it to run time, when exactly does the firewall (iptables in our case) actually resolve the DNS name?
- Is it whenever a call is made to that DNS name in the firewall? So the firewall would resolve the name on the fly whenever someone/something tries to access that DNS name?
- Or is it when you execute the fw script to load the rules into iptables? So in this case, it would resolve the DNS name that one time and then hard-code the resulting ip address into the iptable rules?
From what I read, I think its #1, but it's just not 100% clear to me. We have two servers for a certain function on our network. One is the primary server and one is backup.
alpha0.domain.com
alpha1.domain.com
In DNS we have this:
alpha.domain.com -> alpha0.domain.com
If the primary server goes down and we need to switch to the backup, I just change our local DNS record to point to alpha1.domain.com
instead.
So back to the firewall, if I just put in a Domain Object as alpha.domain.com
, do I have to reload the firewall rules every time we switch to the backup alpha server and change the DNS record? Or will the firewall automatically resolve to the correct address even after the switch?
iptables only deals with IP addresses. When you specify a DNS name in a iptables rule, the iptables userspace program does a one time look up and loads the IP address into the kernel.
fwbuilder either outputs the IP address (compile time) or DNS name (runtime) in the rulesets it generates. But that doesn't change the fact that iptables only does a one-off lookup of the DNS name.
So you'd have to reload the rules each time.