Publish the list of the monitoring nodes via multiple DNS records
When our firewall (PFSense) is given a DNS record (such as monitors.updown.io), it will regularly query this record and turn it into a list of IP addresses - which are allowed to enter our internal network via NAT to query servers.
So if you can setup and update something like monitors.updown.io with the 8 A records to Canada, Los Angeles, Frankfurt... we would have nothing to configure or update on our multiple firewalls 😄
Ok I have created ips.updown.io which will hold all IPv4 and IPv6 for all daemons.
Documentation: https://updown.io/api#dns
-
For the record I just added documentation for this in https://updown.io/api#dns
-
Ok thanks for the confirmation :)
-
Cilex commented
ips.updown.io works perfect !
Thank you !
---
Update : it didn't work immediately, I had to change the FQDN to something dummy and change back to the correct value...
-
Thanks @Stefan for this comment, I'm sure it'll be helpful to others !
-
Stefan Schmidbauer commented
I'm running my systems on OpenBSD and have automated this using a shell script which populates my firewall ruleset with allow rules from those ranges. As you're publishing the IPs in JSON, they require parsing which I'm using jq for
```
curl -s https://updown.io/api/nodes/ipv4 | jq -r .[] > /etc/pf.updown.io
curl -s https://updown.io/api/nodes/ipv4 | jq -r .[] >> /etc/pf.updown.io
``````
table <updownio> persist file "/etc/pf.updown.io"
pass in quick on egress from <updownio>
```Some firewall products come with plugins for that, others' rulesets can be populated using scripting
-
Cilex commented
Yes, PFSense accepts when a DNS query returns multiple AAAA records (https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html). I have no clue about other firewalls, however...