Yes pfSense is a stateful firewall and the WAN is default deny….  When a device on the LAN makes a request outbound, it creates a firewall state, and this state allows the IP to come back thru the WAN to your LAN (IPv4)....

So protect the Outbound... and if you open specific ports on the WAN, then you can add rules for those open ports only...

If you add Deny Both or Deny Inbound, and there are no open ports, then all your doing is logging all the traffic that is hitting your WAN interface but it already being blocked by the default WAN Block rule... So all your doing is filling your widget and firewall/alerts logs with entries.... Best to actually review what is getting blocked without all the noise...

The DNSBL IP is used when DNSBL Feeds contain IPs... It collects them and puts them into a firewall rule, as Unbound cannot block on an IP, it blocks via a domain name.

So follow the same philosophy as above for this also.

See here:
    https://forum.pfsense.org/index.php?topic=135257.msg764291#msg764291

@BBcan177:

What does this command report:

host -t A github.com

You can also check if there are any subdomain being blocked.

grep "github.com" /var/unbound/pfb_dnsbl.conf

If there are other subdomains listed, you can prepend a "." to the domain in the whitelist and follow that with a Force Reload DNSBL.

I got the same problem. This fixed the problem with github.
Thanks!

@frankvh:

Looks a lot like this:

https://forum.pfsense.org/index.php?topic=124945.0

Reviewing that thread, it definitely seems like I input it for that reason. I modified the rule to specifically have destination 127.0.0.1 and my app works again. That seemed less harsh than modifying the code. Plus, I created the code modification (w/o updating destination in the rule) and it wouldn't let the app function.

However, it seems to be working fine now, thanks again!

Thanks for your help BBcan177.  That explains it!  Sorry for taking so long to respond.

Using the command line, you can search for the domain in PfBlockerNG's DNSBL config:

grep "SEARCH STRING HERE" /var/unbound/pfb_dnsbl.conf

For IP, I imagine the same would work for whatever *.conf file holds that.

The feeds which are included in lvl1:

A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw)

So instead of using lvl1, find those original feed urls and add those to a new IPv4 alias. The lvl1 feed includes bogons which should not be used to block outbound traffic.

If you do

nslookup doubleclick.net Serveur :  pfsense.somewhere Address:  172.47.18.71 Nom :    doubleclick.net Address:  10.10.10.1

you should see your pfsense box replying.
If not then either your pfsense configuration for DNS service is incorrect, or your lan device use another DNS server for answer.

Check your device DNS configuration, if you are using Internet Security like AVG, maybe they override DNS resolution. Hake a look at
@BBcan177:

@xphiles:

so after much troubleshooting and trying things at the firewall level, i disabled my full avg protection and it works on the host(s) in question. so I have to granularly figure out which service in AVG is messing up my dns

I think this is what you were looking for:
    https://help.avg.com/en/avg_free/17/securityantivirus_securedns.html

You can configure pfsense DCHP server to provide the correct DNS/DNSBL server for devices

I know it is a pain but I periodically have gotten pfBlockerNG DNSBL issues, I have rsolved it by: making sure "Keep settings" is not checked, then saved, running a cron "Force" reload and then rebooting firewall. I then deinstall pfBlockerNG and then reinstall…. it then works.

A little harsh but seems to work...

I am running DNSBL with pfBlockerNG and 2.4.1 and all is working...

I have very similar setup as you and it works for me. Not really sure. I say double-check everything again.

Have you tried rebooting the system after making those changes?

I did a little poking around, and my DNS Resolver was set so that Network Interfaces and Outgoing Network Interfaces were both set to "All." I changed Network Interfaces to LAN and Localhost, and Outgoing Network Interfaces to "WAN" and things are MUCH better now. Thanks!

Yes this will be in the next release…

https://forum.pfsense.org/index.php?topic=138887.0

Thanks BBcan177

@BBcan177:

I have posted PR#470 for pfBlockerNG v2.1.2_1 for review by the pfSense devs.

https://github.com/pfsense/FreeBSD-ports/pull/470

Changelog:

Switch flock() to try_lock()

Remove conf_mount_{ro,rw} calls

Add 'Alias type' rules to states removal feature

Thank you. I ran the patch files but assume I should still update pfBlockerNG which I will do once available in package manager. (not a complaint) Thank you for the work you do.

@xphiles:

thanks, although I am confused how when I have rules in place to block any other DNS, it still got past it to AVG?

They do that thru an HTTPS (I would hope… and not thru HTTP) call back to their domain. So they are stopping DNS hijacking by doing their own DNS hijacking :) lol...

Most definitely I'll do that. I thought i'd try here first since it referenced 10.10.10.1 IP.

Thank you for your continued support to pfSense <3

If you goto the pfSense firewall log, do you see these alerts?