BIND filter-aaaa
-
https://forum.netgate.com/topic/159016/pfblockerng-devel-v3-0-0_5
@mikekoke said in BIND filter-aaaa:
which domains
Normally : none.
Read https://forum.netgate.com/topic/118566/netflix-and-he-net-tunnel-fixed-using-unbound-python-module -
@gertjan
Need a little help please...I upgraded my pfBlockerNG-devel from a pre-v3 version to 3.0.0_7 this afternoon. I was previously using the no-aaaa script in unbound, and I am now trying to migrate that across to pfBockerNG-devel. I think I have ticked all the required boxes and I have entered my domain list, but it only seems to work for the domains as entered, and not for any hosts which are part of that domain, i.e. it is as if each line entered is treated like an individual host.
For example, I have entered office.com in the list, and resolution of office.com returns only an IPv4 address, but outlook.ms-acdc.office.com returns both IPv4 and IPv6 addresses. The previous no-aaaa script had "office.com." as the domain, but if I include the last "." in pfBlockerNG-devel it doesn't work at all. Effectively I want IPv4 resolution only for "*.office.com". I presume that is possible in pfBlockerNG-devel?
Thanks
-
@aberdino might be good to post this over on the announcement thread, a lot of minor changes were being patched by the dev fairly quickly as they were reported over there.
https://forum.netgate.com/topic/158592/pfblockerng-devel-v3-0-0-no-longer-bound-by-unbound
-
@aberdino said in BIND filter-aaaa:
For example, I have entered office.com in the list, and resolution of office.com returns only an IPv4 address, but outlook.ms-acdc.office.com returns both IPv4 and IPv6 addresses. The previous no-aaaa script had "office.com." as the domain, but if I include the last "." in pfBlockerNG-devel it doesn't work at all. Effectively I want IPv4 resolution only for "*.office.com". I presume that is possible in pfBlockerNG-devel?
The upcoming version of pfBlocker, the one after 3.0.0_7 (not yet released, it's upcoming) will do this correctly :
Consider :
( do a Force Update after saving these settings ! - flush local DNS caches)
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host papy-team.org papy-team.org has address 87.98.136.44 papy-team.org mail is handled by 20 mail2.papy-team.org. papy-team.org mail is handled by 10 mail.papy-team.org. [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.papy-team.org www.papy-team.org has address 87.98.136.44 [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host pop.papy-team.org pop.papy-team.org has address 87.98.136.44
So, the domain itself, and all sub domains will be A only.
But - in the case of "www.test-domaine.fr" :
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host test-domaine.fr test-domaine.fr has address 5.196.43.182 test-domaine.fr has IPv6 address 2001:41d0:2:927b::15 test-domaine.fr mail is handled by 20 mail2.test-domaine.fr. test-domaine.fr mail is handled by 10 mail.test-domaine.fr. test-domaine.fr mail is handled by 30 mail.test-domaine.fr. [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.test-domaine.fr www.test-domaine.fr has address 5.196.43.182 www.test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
Strange !!
Only the sub domain www.test-domaine.fr should be "A" only (no AAAA). The domain itself will return an AAAA (that's ok), but the sub domain listed in the Python no AAAA List "www.test-domaine.fr" - see above - also returns an AAAA !
(note : I'm using the upcoming 0.0._8 version here, not yet released)I wonder :
.papy-team.org
should block AAAA for the domain and all possible sub (and sub sub etc) domains ,
and without the starting dot, likepapy-team.org
should block AAAA for the domain - and NOT for the sub domains ?
Remark
- don't know if such a feature is needed.
- The syntax with the starting dot should be inversed ? Like ".papy-team.org" is blocking this domain and all sub domains, and without the starting dot, like "papy-team.org" only that domain without doing the wildcard thing ?
-
@gertjan your suggestion sounds best to me. Make it work exactly like the dnsbl whitelist function, leading ". " for all subdomains, otherwise a single record.
-
@bruor
Agreed, and thank you both. -
-
-
@aberdino said in BIND filter-aaaa:
@Gertjan and @bruor
I might have spoken too soon, as it's not working now, I'll do some further digging...Just to close this issue, I'm now on pfSense 2.5.0 with pfBlockerNG-devel 3.0.0_10 and the wildcard AAAA blocking works great. Thank you guys
-
-
I wanted to add the no-aaaa script again to unbound when I stumbled on this thread, I'm running pfsense plus 22.05 and the latest pfblocker-ng 3.1.0_7. I cannot find the no-aaaa script as a setting in pfblocker-ng as shown by @Gertjan here.
Where can I find these settings foor no-aaaa?
-
@nan0tech put pfblocker-ng in python mode under the DNSBL tab, "no AAAA" should be available in the list (has a lightning bolt next to it)
-