Publish the list of the monitoring nodes via multiple DNS records
When our firewall (PFSense) is given a DNS record (such as monitors.updown.io), it will regularly query this record and turn it into a list of IP addresses - which are allowed to enter our internal network via NAT to query servers.
So if you can setup and update something like monitors.updown.io with the 8 A records to Canada, Los Angeles, Frankfurt... we would have nothing to configure or update on our multiple firewalls 😄
Ok I have created ips.updown.io which will hold all IPv4 and IPv6 for all daemons. Let me know if it's working as expected with PFSense!
> host ips.updown.io
ips.updown.io has address 126.96.36.199
ips.updown.io has address 188.8.131.52
ips.updown.io has address 184.108.40.206
ips.updown.io has address 220.127.116.11
ips.updown.io has address 18.104.22.168
ips.updown.io has address 22.214.171.124
ips.updown.io has address 126.96.36.199
ips.updown.io has address 188.8.131.52
ips.updown.io has IPv6 address 2001:19f0:4400:402e::1
ips.updown.io has IPv6 address 2607:5300:60:4c2f::1
ips.updown.io has IPv6 address 2001:19f0:7001:45a::1
ips.updown.io has IPv6 address 2001:19f0:6001:2c6::1
ips.updown.io has IPv6 address 2001:19f0:5801:1d8::1
ips.updown.io has IPv6 address 2001:19f0:9002:11a::1
ips.updown.io has IPv6 address 2001:41d0:2:85af::1
ips.updown.io has IPv6 address 2001:19f0:6c01:145::1
Ok thanks for the confirmation :)
ips.updown.io works perfect !
Thank you !
Update : it didn't work immediately, I had to change the FQDN to something dummy and change back to the correct value...
Thanks @Stefan for this comment, I'm sure it'll be helpful to others !
Stefan Schmidbauer commented
I'm running my systems on OpenBSD and have automated this using a shell script which populates my firewall ruleset with allow rules from those ranges. As you're publishing the IPs in JSON, they require parsing which I'm using jq for
table <updownio> persist file "/etc/pf.updown.io"
pass in quick on egress from <updownio>
Some firewall products come with plugins for that, others' rulesets can be populated using scripting
Yes, PFSense accepts when a DNS query returns multiple AAAA records (https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html). I have no clue about other firewalls, however...