No, I don't get that behaviour, at least with iptables 1.8.9 to 1.8.11. I have just checked with "iptables -L". Allowing or rejecting a given FQDN results in iptables generating as many allow or reject rules as the number of results returned by the DNS lookup for that FQDN. Guido On Fri, 07/03/2025 at 18.02 +0100, Jan Engelhardt wrote: > On Friday 2025-03-07 16:46, Guido Trentalancia wrote: > > > I can give you quick example of an hostname which is allocated > > dynamically in DNS: www.google.com. > > > > If you perform: > > > > # nslookup www.google.com > > > > then you will obtain a different IP address (or different multiple > > IP > > addresses) each time you run the command. > > > > Given the above, any iptables rule for such kind of host will need > > to > > use its FQDN instead of a statically allocated numeric IP address. > > In that case of multiple queries returning multiple results (DNS > roundrobing), using hostnames in firewall rules (with or without > ignoring lookup errors) is even more wrong than before! > > Because > > -s google.com -j ACCEPT/REJECT > > only performs one lookup, it leads to > > * accepting _too few_ hosts, meaning you erroneously reject some > google.com connections in subsequent rules, > * or rejecting *too few* hosts, meaning you erroneously let some > connections through in subsequent rules. > > So now we've gone from 100% of the time google.com is not reachable > to randomly failing half the time attempting to load a search page. >
