How to update an ipset name-based entry

Question

I need to handle on my firewall (Firehol, which is then transformed into iptables) a few dynamic entries. In an ideal world I would use a name (instead of an IP address) which always points to the right IP but this does not work (for good reasons).

In order to keep a stable configuration, I am considering to use ipset. (EDIT: for the sake of the example below, let's assume that www.google.com has only one IP at a given time, but which may change)

root@srv ~# ipset create google hash:ip
root@srv ~# ipset add google www.google.com
root@srv ~# ipset list google
Name: google
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 136
References: 0
Number of entries: 1
Members:
216.58.206.228

I can add/delete IPs for the set. This does not solve the problem of updating an IP.

To take the example above, I would like to be able to re-add www.google.com and (if its IP changed), have 216.58.206.228 removed and replaced by its new IP.

This is not the case:

root@srv ~# ipset add google www.google.com
root@srv ~# ipset list google
Name: google
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 184
References: 0
Number of entries: 2
Members:
216.58.206.228
216.58.204.132

Is there a mechanism which allows to update an IP in a set, to match the current resolution of a name?

EDIT: to clarify following some answers: I do not want to solve the problem of a name which has several addresses and cover them all (say, making sure that I have all resolutions for www.google.com). I have a site which has one single IP, but that IP may change.

Answer 1

That doesn't seem like the best way to block a web site that has many IP addresses.

Nevertheless, this will work even if you have multiple IP addresses in an ipset list:

Instead of rewriting the same ipset list, create a new list and then ipset swap them.

ipset create temp hash:ip

for address in $(dig a www.google.com +short); do
    ipset add temp $address
done

ipset swap temp google
ipset destroy temp

Answer 2

Your problem is two fold:

• your firewall works by blocking/allowing connections to specific IP-addresses, ranges of IP-addresses and ports. If you configure your firewall with hostnames rather than ip-addresses, it will still use ip-addresses in it's running configuration, with the ip-addresses the hostnames resolved to, when the configuration got loaded.

• Many destinations don't use a single fixed ip-address (range) anymore but use things like CDN's, round robin and GEO DNS, anycast etc. and subsequent connections to the same destination DNS name will go to different IP-addresses in a (nearly) unpredictable pattern.

Most organisation solve that problem by simply blocking direct internet access entirely and mandating the use of a proxy server. On the proxy server you can easily enforce URL based access controls and allow access to www.google.co.uk and block access to www.google.de despite the fact that those might (at times) be resolving to the same ip-address and despite the fact that the ip-address for those may change at random times.

Alternatively, organisations block DNS, only allow the usage of the DNS server they provide and run the hostname white/blacklist at the DNS level. Which will for most users be an effective access control, although easily circumvented by a skilled operator.