www.ads-software.com ip addresses

  • lifeboy

    (@lifeboy)


    9 years ago

    Am I mistaken or are the DNS records for www.ads-software.com incomplete?

    Consider the following:

    $ dig www.ads-software.com A

    ; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> www.ads-software.com A
    ;; QUESTION SECTION:
    ;www.ads-software.com. IN A

    ;; ANSWER SECTION:
    www.ads-software.com. 185 IN A 66.155.40.249
    www.ads-software.com. 185 IN A 66.155.40.250

    ;; Query time: 2 msec
    ;; SERVER: 192.168.121.1#53(192.168.121.1)
    ;; WHEN: Sat Nov 07 10:36:36 SAST 2015
    ;; MSG SIZE rcvd: 74

    However, I have a firewall configuration that blocks incoming and outgoing traffic by default (I prefer is that way), so I see traffic being blocked to various addresses when I check for updates, by RSS feeds to wordpress.com don’t load and some more.

    An relevant address for example is 66.155.40.186. So,

    $ dig -x 66.155.40.186

    ; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> -x 66.155.40.186

    ;; QUESTION SECTION:
    ;186.40.155.66.in-addr.arpa. IN PTR

    ;; ANSWER SECTION:
    186.40.155.66.in-addr.arpa. 14400 IN PTR www.ads-software.com.

    ;; Query time: 465 msec
    ;; SERVER: 192.168.121.1#53(192.168.121.1)
    ;; WHEN: Sat Nov 07 10:40:29 SAST 2015
    ;; MSG SIZE rcvd: 71

    It’s www.ads-software.com, except the DNS records don’t show this, only the PRT record does.

    All the other records I can look up (www, blog, lb) are simply CNAME records for www.ads-software.com.

    Now in pfSense, my firewall, one can create aliases to simplify the creation of rules to allow specific traffic. If I create an alias “all_wordpress”, I add www.ads-software.com to the alias, create a rule to allow “all_wordpress” HTTP and HTTPS traffic out, then all ip addresses association with www.ads-software.com are allow out. Nice and efficient.

    However, since there are only 2 ip addresses returned when querying the www.ads-software.com dns records, the traffic is still blocked and updates are not possible (and probably a number of other things as well).

    Can someone (working for automattic maybe?) explain what is going on here and either fix this or, if there is a reason for this, how do I get a list of the ip addresses that are relevant to allow access to the site. I’m sure there are others that also have properly configured firewalls that would want this information too?

    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    It’s not really Automattic but I’ll take a stab at it.

    *Looks. Adds reminder to ask Otto and others again in December about load balancers if they use them*

    I’m reasonably sure you’ll need to permit the whole 66.155.40.0/24 subnet. At the moment this is what I see.

    ;; QUESTION SECTION:
;*.www.ads-software.com.		IN	A

;; ANSWER SECTION:
*.www.ads-software.com.	14387	IN	CNAME	www.ads-software.com.
www.ads-software.com.		587	IN	A	66.155.40.249
www.ads-software.com.		587	IN	A	66.155.40.250

    Unlike CNAME and A records, PTR records have to be a one to one match. You’ll never see a reverse lookup work for something that the forward lookup answers for www, lb, make, etc. so each of those IPs will have PTRs for www.ads-software.com.

    If you make your pfSense rule work for the 66.155.40.0/24 subnet then you should be alright for awhile.

    (Yes, I spot checked dig -x 66.155.40.1 and up. *Drinks more coffee*)

    IP addresses aren’t really reliable because they can change and that’s alright. It’s a little over the top, but if you setup a web proxy (Squid) then you can use an ACL on the proxy to permit requests from your web server to *.www.ads-software.com.

    Thread Starter lifeboy

    (@lifeboy)

    Thanks, Jan, it seems you’re right about the whole /24, yes.

    I try to avoid adding ip addresses to firewalls for exactly the reason that they do change sometimes. The alias feature of pfSense serves one well in this regard, but of course load balancing breaks it, but for a large site like www.ads-software.com I suppose it’s unavoidable.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    An relevant address for example is 66.155.40.186.

    That is one of the possible addresses for api.www.ads-software.com, which is where update checks are made to.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘www.ads-software.com ip addresses’ is closed to new replies.