I'm looking for a little clarification regarding the unbound config changes after switching to python mode.
I've notice that unbound is unstarted after any pfBlockerNG-devel v3.x.x package updates. DNS lookups fail so I have to manually restart it.
The docs indicate to change the interface to localhost in unbound. I assume it's the "Outgoing Network Interfaces" (now set to "localhost") and not the "Network Interfaces" (currently set to "all") above it.
My DNS settings in general setup already has localhost configured (Disable DNS Forwarder is unchecked) as one of the upstream DNS servers. Do I keep this config or remove 127.0.0.1?
So...have I made the correct changes? It seems to be working so far but want a 2nd opinion via another set of eyes to make sure I've understood the intended setup.
I can not wait to see how he is going to do the mass import for IP4 and DNSBL, I hope its just a simple text doc you can just upload just like you would a backup file on Ublock extension.
Looking forward to it.
I may have to get some more Ram lol only got 8 gig and I bet doing mass list imports will hit the Ram hard.
It would be really cool if it could automatically update the blocked TLDs based on the spamhaus statistics (https://www.spamhaus.org/statistics/tlds/) on a regular schedule. I realize that this may be more difficult than it sounds as I cant seem to find a spamhaus TLD feed, just a website. But if we dont dream then it will never happen!
Is it possible to redirect blacklisted domains to a chose website ? (So, other than the internal 10.10.10.1 from pfblockerNG/pfsense appliance)
Before, I used adguardHome which redirected every BL to a pixelserv-tls website. And it worked well, I'd like to reproduce this setup.
@token Those URLs were removed from the Feeds tab because they are offline, discontinued, etc.
Click on the Alias/Group name and it will open the appropriate Alias/Group tab. Delete the URL, Save Settings, when done, run a Force Update, that should remove the feed from the db/pfblockerng folder. Inspect the logs, to find more problems.
What didn't work (well) using unbound, is that it reads all these files (the ones you listed) : 362 + 111 + 52.207.941 ( !!) + 2421 + 300 + 2272 == thousands of lines to be re parsed at process (re) start.
There are systems that will takes tens of seconds (minutes) to so, and during this time the system goes to 100 %and DNS isn't working.
That's why python mode was used : the python module handles the files, unbound just invokes the python "external' script to do the DNSBL business.
IMHO : the so called "python mode" will be the only one being used in the future. The mode where files are included from the main unbound.conf will be abandoned.
Give it a try ;)
@sweety i am here because I have similar problems. Mine is:
ug(Removed due to SafeSearch conflict)
uk(Removed due to SafeSearch conflict)unicom|university|uno|uol|ups|
uy(Removed due to SafeSearch conflict)
uz(Removed due to SafeSearch conflict)va|vacations|vana|vanguard|
vc(Removed due to SafeSearch conflict)
...so dumb. There's NO CONFLICT! What's that have to do with FireFox's dumb DNS lookup in the browser if it's to be blocked? FFS these browsers are getting aggressive. So my white lists aren't working either as a result of this feature.
TLD Whitelist - Missing data | mailchi.mp | No IP found! |
For you to use your Windows DNS servers you simply need to setup your network like this:
PC's = your windows DNS servers as their DNS servers
Servers = your PFSense as their DNS servers
PFSense = your outside DNS provider like OpenDNS, Google, Quad 9, etc, etc.
@cool_corona I reread your post and I understand your point. I guess I don't particularly care "who" is port scanning if they can't get in. I just assume "outside is bad." :) (also I missed that you weren't the OP, from the emailed notification)
As I understand you, uour usage case is that someone scanning 10000 ports would get blocked before they get to the one open port, vs. if there was only one port open the LAN instance of Suricata wouldn't detect that as a port scan. It would trigger only if they sent a packet that would be forwarded by the one open port and blocked by the LAN instance. In that case the LAN instance is double scanning the packets, so I'm not sure there is as much benefit of scanning there? The LAN alerts might still be more useful for finding the LAN IP of outgoing traffic.
Possibly, a way to reduce the double scanning would be to have only rules for port scanning enabled on WAN?
@srig Hi! The only domain I whitelisted for the Ikea gateway to work was webhook.logentries.com.
But now I got rid of the Ikea gateway. I hate it when a device will not work when you block all the telemetry and "phone-home" domains.
@gmxpt That's awesome to hear. I've been using it for two years now. I found that I was filtering too much. It was like a nice simple dns request would get to pfBlocker and freak out. So I worked on tuning DNS at a few different levels. I set the pfSense to use OpenDNS. I added the Squid proxy app and it made a big difference. I got rid a lot of duplicates, unnecessary filter rules, and started considering the DNS process as a whole, and took down that roadblock. When I was connected with VPN it got to skip past my configs. I wish I watched the two Packt Pub video modules first.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.