Whitelist security.debian.org

I have a firewall with some whitelisted addresses for the kids, one of them is security.debian.org.

The firewall flushes the tables with fresh IP addresses using a scripted cronjob with a nslookup that pulls the addresses and automatically adds them to the whitelist.

Doing a nslookup on the firewall and on the kids boxes provides the same IP addresses for security.debian.org:

# nslookup security.debian.org
Non-authoritative answer:
Name:   security.debian.org
Address: 212.211.132.32
Name:   security.debian.org
Address: 195.20.242.89
Name:   security.debian.org
Address: 212.211.132.250

And those IPs are added to the whitelist. However, when APT is run:

"Could not connect to security.debian.org:http: [IP: 149.20.20.6 80]"

Where does APT get this IP address from?

If from some crazy pool of IPs how is it doing lookup?

Reply to:

Follow-Ups:

Re: Whitelist security.debian.org
- From: David Wright <deblis@lionunicorn.co.uk>
Re: Whitelist security.debian.org
- From: Pascal Hambourg <pascal@plouf.fr.eu.org>