Microsoft Updates Not Progressing
-
@stephenw10 said in Microsoft Updates Not Progressing:
Hmm, so your test was using python mode and it still caused huge delays with that massive list @Gertjan?
Yep, I'm using python mode.
Most of the 'huge file' treatment doesn't change, as pfblockerng still has to download de DNSBL file.
Sort it.
Adding it to the 'main' DNSBL file, while taking care of 'doubles'.
This is done using PHP, and has nothing to with the 'Python mode" which is actually just a set of function used in the resolve process within unbound.PHP isn't famous for it text file parse power ;)
-
@gertjan said in Microsoft Updates Not Progressing:
PHP isn't famous for it text file parse power ;)
Ha! Indeed.
-
@stephenw10 Yeah I am starting to wonder if I have a DNS setup issue cause nothing seems to be work correct. Its not really blocking sites, even adult sites should be blocked regardless of pfblockerng because I am using cloudflares malware and adult site DNS values but they all still go thru. I followed so many different tutorials on DNS over TLS and making sure the devices only get their DNS form pfsense starting to question it.
-
If you have just entered cloudflare DNS in System > General Setup that will only do anything for clients if Unbound is set in forwarding mode. Otherwise it resolves dircetly and ignore those settings.
-
@stephenw10 Like this you mean.
-
@stormgate But I don't have this checked.
-
Yup, like that. In forwarding mode you should usually disable DNSSec also.
You don't need to have Unbound respond to DoT queries internally.
-
@stephenw10 Thanks yes DNSsec is unchecked.
-
@stephenw10 And these are the rules I was told to setup to make this all happen.
-
@stormgate said in Microsoft Updates Not Progressing:
@stormgate But I don't have this checked.
@stormgate said in Microsoft Updates Not Progressing:
@stormgate But I don't have this checked.
Windows 11 Pro might handle DNS over TLS port 853.
Windows 10 : no-go (but you could install an add-in utility).Btw : You only need to encrypt your own local DNS traffic if you do not trust your own wiring ;)
This :
only works if you set up each LAN client individually.
It's TLS - so you can't use a an IP, you need a fqdn, and this fqdn must be part of he certificate unbound uses to initiate the TLS traffic.
Like https..... (which is http over tls). -
Those rules are on LAN I assume?
That will prevent clients using external DNS and DNSoverTLS servers.
A rule with destination 127.0.0.1 can never match anything. Localhost like that is only valid on the host itself. Unless you have already added a port forward to redirect.
Those rules don't block DNSoverHTTPS so clients that use that will get real results.
You are ofetn better off redirecting DNS traffic to pfSense. That way anything hard coded with an external server, like 8.8.8.8, will still be able to resolve:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlSteve
-
@stephenw10 Headed to work and will have a look, too me it didn't look right but not being an expert I took the recommendations on the rules. What is the best method on this device to take when it comes to up a secure DNS environment that works and allows the categories to be blocked correctly. I'll look at that link.
-
@stephenw10 I think I may see the issue, I do have the DNS over TLS NAT rule but I guess I need one for each VLAN, its only only setup on the Default Vlan. But maybe the rules themselves need some work also.
-
@stormgate
Why would you want to use DNS over TLS on the pfSense LAN side & VLAN side ?
You will be one of the first to do so among the pfSense user base, over 100 000 (this is very IMHO).
Again : you will have to configure every LAN/VLAN device ! See [https://en.wikipedia.org/wiki/DNS_over_TLS](https://en.wikipedia.org/wiki/DNS_over_TLS.It can be done of course.
I've installed a Windows 10 Pro DNS-over-TLS client just a couple of days ago.If you want to make your traffic invisible, go for the much simpler VPN tunnel.
Or do you really want to MITM with pfSense ? ;)
-
@gertjan Only because I thought DNS over TLS was a better secure setup, but I have no other reason. I would be prefer to set it up so its reliable and works for everything and yet secure. Would you simply recommend setting up DNS (53) with a some rules? This system is going to be thousands of kms away so I have no margin for error, so the most recommended setup is what I will adhere too. Thanks
-
Category based DNS filtering on the firewall can only be done via pfBlocker like that.
You can block DoH using IP lists in pfBlocker. Obviously that's not 100%
Firefox will look for a specific domain locally and not use DoH if it finds it. But users can still force it to use DoH.
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-httpsSteve
-
@stephenw10 @Gertjan So much help you are giving me, ok I have cleaned up my rules and set everything as DNS(53), cleaned it all up. So DNS over TLS is no longer. Firewall was probably so confused with my rules.
-
@stormgate said in Microsoft Updates Not Progressing:
This system is going to be thousands of kms away so I have no margin for error
So DNS over TLS, locally ( not to be mistaken with DNS over TLS, used by unbound when it is in forwarding mode) is out of the question, as every device that connects to your local networks has to be setup correctly.
It can be done, but you need to be there. -
@gertjan Thanks, yeah I have moved everything back to the conventional DNS and now filtering works pretty good, rules look much better now. Still struggling with this Windows Update issue, they eventually download but it can take days and several retries, I'm at a loss where what exactly is causing the issue. This is a complete stand alone simulated network and everything is brand new. Running 2 stacked Aruba 1960's, the uplink to the Pfsense is using a 10GB connection, the stacks connections are fiber, and when I run a speed test over the internet I get the full speeds according to the package so that all seems right. All PC's are affected whether they are plugged in or over their respective SSID. I wish I had tried this prior to installing any packages like pfblockerng or snort but unfortunately I did not. I am not seeing anything like microsoft.update or anything, alot of IP's are being blocked but nothing I have looked into refers to Microsoft in anyway.
-
So it does seem Snort is the culprit, I actually think my one Windows 11 PC didn't have the issue with updates, however after really disabling and leaving for a bit it does appear that Snort is causing this windows update issue. I removed the package and reinstalled, and setup back up. I'll check it when I get home if updates are now ok. It doesn't seem to be throwing up nearly as many alerts.
