Sorry, wrong subcategory - I'll post it again.

Hello,

ok, I disable the DNS forwarder and activate the DNS Resolver.
For use the Unbound DNS Resolver I add a NAT redirect rule from here:
Netgate Docs redirecting-all-dns-requests-to-pfsense

My question, the NAT redirect rule create a LAN rule too, this rule is automatic below the pfblockerNG IP rules, must I move it above, after the Anti-Lockout Rule?

Do I need the Blocking DNS Queries to External Resolvers rule too?

regards
ThomasD

See:
https://www.reddit.com/r/pfBlockerNG/comments/ao98u1/dnsbl_certificate_error/

and:
https://www.reddit.com/r/pfBlockerNG/search/?q=certificate&restrict_sr=1

@bhjitsense said in Captive portal taking up to a minute to appear:

Okay.... so what are you saying? I can't use forwarding?

I'm not saying anything ^^

b182a6e4-21ad-4174-a438-5705b20286e0-image.png

I think that that text says : use Unbound in resolver mode .... but I might be wrong.
DNSBL works fine for me.

Btw : by default, unbound, the resolver uses the 'core' Internet DNS facilities and this should work as soon as you start pfSense for the first time and activate a WAN connection.
If that doesn't work for you, your connection is not good.

I'm not saying you can't use the Forward mode, but I suggest that you test with a (non modified) basic setup. When it works, you change things step by step. As soon as things stop to work, you will know what to undo .

Can't tell anymore. I completely removed pfBlockerNG. ☹
I'll start from scratch when I find time. Thank you.

Moved your question to the pfblocker section..

Not sure why this should be a question though... You create an alias, then use it in your rules to either allow or block access to the ports you have open.. Its not something you need a guide for, its just a basic firewall rule.. Block or Allow.

I have plex allowed in my rules. I have a list setup that contains US, and Honduras, it also contains known IPs used by plex to test if server is available remotely.. And also included is IPs that test from 3rd party if the port is open - so I can get notified if not available.

These are the only IPs that are allowed to use the rule, they are the source.

Above that rule I have a different list (bad actors) because they might be from the US, or Honduras.. So blocked them before they can get to the allow list.

Remember rules are evaluated top down, first rule to trigger wins.. No other rules are evaluated.. So if create a rule that top that blocks who you want to block, then they would never get to your allowed rules..

You limit your allow rules with a source limit to only allow say US, even though they are not on a specific bad list.. They are not US so they are not allowed. So they will drop through to the default deny.

@rtkluttz said in pfblockerng not working for all ip's in the aliases:

45.82.152.0/23

What about pfB_Europe_v4? Do you have anything in there in your WAN Rules?

Hi,

No way.
Just keep the default ports (8081 and 8083).
Same thing for the Virtual IP default 10.10.10. - except if this IP falls into one of your LAN's or other networks.

Removing the '53' from unbound and be ready to 'break everything' ;)

@PaulMon123 said in DNSBL deny all except whitelisted:

All I want to do is to block any DNS requests (except ones to specific services) to prevent data leaks using DNS tunneling.

It seems that most of what I shared geared to accomplishing this, especially when an IPS/IDS is added to the mix. I take it others has physical access to the "secure environment" or it's a server.

This data leaks using DNS tunneling is a hot topic, a potential headache, and I am hoping a package with DNS quarantine coming soon.

@tman222 Well, I think it would be pfSense that provided pfBlockerNG widget the packet info.

Make sure you are using pfBlockerNG-devel which is much improved over the release version.

OK thanks, I think I get it now. The ' IPv4 Suppression list' is a white list ? (clicking the '+' in the deny list)

Just for clarity, I can see in /var/db/pfblockerng/deny the lists

2019-10-16 19_38_24-deny - XCP-NG DQ77KB - WinSCP.jpg

and under pfBlockerNG > IP > IPv4 I can see the corresponding lists created from 'feeds'

2019-10-16 19_43_51-pfSense.localdomain - Firewall_ pfBlockerNG_ IP_ IPv4.jpg

But I still don't get where the pfB_DNSBLIP_v4 (DNSBLIP_v4.txt) is created from 😕

@William-Barni said in pfSense pfBlocker and mobile phones apps:

@pfSenseTest Hum... ok. Thanks for the answer.

I need to learn a ton of new tools and to develop rules for them, understand their behavior, just to block youtube.

YouTube does not want to be blocked ... 😉 . So they make sure it is somewhere between difficult and impossible to block their traffic. Google has gotta have that ad revenue you know ... 😀 .