pfBlockerNG 3 not blocking anything

tung2567

i followed this video https://www.youtube.com/watch?v=luXhXisoWhA
to block gambling. strangely, i can still access sites like BetFred.com.
what am i doing wrong?
here are some of my screenshots:

Gertjan

@tung2567 said in pfBlockerNG 3 not blocking anything:

https://www.youtube.com/watch?v=luXhXisoWhA

Dono who that is. The video might be correct of course.

But, if you want to use or buy a Ford Pick up type xyz, why go to jack-agarage-down-town.com for info ?
Why not using the info (videos) from 'those who made it', the authors, as they tend to be well informed. They also are aware of all the pitfalls, and common users errors.

So, go to Youtube, select the channel Netgate, and have a look at their pfBlockerNG video(s).
Next best is (my opnion) https://www.youtube.com/@LAWRENCESYSTEMS as he talked a lot about pfBlockerng - which is of course this version : pfBlockerng

also known as pfBlockerng-devel

and not the ancient "pfBlockerng".

@tung2567 said in pfBlockerNG 3 not blocking anything:

to block gambling. strangely, i can still access sites like BetFred.com

You showed some settings, but not :
The feed you've added that contains "BetFred.com".
Or did you add "BetFred.com" manually ?

BetFred.com can only block what you told it to block.
As it is very tedious to build lists with thousands of DNSBL, pfBlockerNG offers you to use lists (feeds) that are build by others (like you and me).

pfBlockerNG will download all these lists, assembles them to one big list and use that for checking.
Because you use the older unbound mode, you will see this line on the unbound settings page, in the custom options box :

Knowing that, it take just a second or tow to answer you question.
Load this file, and see if "BetFred.com" listed.
If not, you should use another list/feed that contains BetFred.com
Or add BetFred.com yourself.
I did this :

Here : I have just one DNSBL feed activated :

I clicked on the pencil for 'edit' - went to the bottom and saw "DNSBL Custom_List and added the line shown :

And I hit Save.

Now, first, a test on pfSense using the console access (GUI DNS test would also work) :

[22.05-RELEASE][admin@pfSense.mypfsenselannetwork.net]/etc/inc: dig BetFred.com +short
10.10.10.1

Bingo, BetFred.com is now blocked.

Or, a,other method :

Can you find the DNS request where "betfred.com" was handled ?
Click on the big black + sign, fill in some details, and it will be blocked from now on.

Now, check on your devices if betfred is also blocked.
If it isn't, then you know that that device does not use 'pfSense' as a DNS server .... you a talk to the owner of the PC, or the guy who maintain your network, and ask him why this is the case ;)
( your device should use pfSense, probably 192.168.1.1) as a DNS server )

Btw : consider using the python mode, as you will have more details.

tung2567

@gertjan yes, i used Devel version.
anyway, i started all over again and made a video for you https://youtu.be/6jGxotdg3lE
DNS block list includes all gambling sites. strange that it can still access any sites
not sure if it matters but in my DHCP, i have DNS blank as seen here

SteveITS

@tung2567 Presumably you ran the update process in pfBlocker...

Next is to test it. On your PC run:
nslookup BetFred.com pfSense_LAN_ip
...and see what it returns.

Web browsers often use DNS over HTTPS (DoH) today, which bypasses local DNS, so you may need to disable or block that.

tung2567

@steveits
this is what i get, so it is working then! right?

im using betfred.com and have access to the site as you mentioned...

so how can i set up PFBlocker to block DoH on browsers such as firefox?
also, i dont want PFBlocker working on IP address ranges from 192.168.1.40 through 192.168.1. 60. meaning these auto DHCP assigned 21 machines will have access to the full internet, no filter.

meanwhile, my static assigned machines will be filtered.
could it be done as seen here?

SteveITS

@tung2567 Seems like querying 192.168.1.1 yields the block but ~~querying 127.0.0.53 does not~~[edit: confused threads, sorry], so you need to figure out the DNS setup on your PC and get it to use pfSense.

Allow/bypass can be done via the “group policy” setting in pfB. I can look at that tomorrow.

Gertjan

@tung2567

This :

instructs nslookup to look for "BetFred.com" using 192.168.1.1 as the DNS source ('server').
192.168.1.1 is your pfSense.
The returned address was 10.10.10.1, and that's a pretty solid proof pfBlockerng-devel is working just fine for you.

When you use your Firefox, the site "BetFred.com" still showed up : this is a solid proof that your browser is not using 192.168.1.1 or pfSense (so not using pfBlockerng-devel) to do it's DNS thing.
Your Firefox uses another source.

As said several times now : install Google, ask it how to change DNS settings for Firefox, and de activate its DNS behavior : have it using the 'system' (pour PC) DNS.
Your PC DNS is obtained by pfSense during DHCP negotiation.
Even when you do not specify a DNS IP (192.168.1.1) the DHCP server settings, as you showed above, it will send over one, which is 192.168.1.1 == pfSense !!
This is very easy to check :

ipconfig /all

and you can see what DNS your PC is using.
You should see :

   Serveurs DNS. . .  . . . . . . . . . . : 192.168.1.1

And again, yes, there are programs that override this setting, and use their own DNS, like Firefox.

If you set this :

then you tell your PC to use 8.8.8.8 and 8.8.4.4 as a DNS source.
Easy to test.
Set these two DNS servers in your DHCP server page, and save.
Now, just for the fun, disconnect your PC (remove cable a moment, or shut down the Wifi, and then re connect). This will start a DHCP negotiation.

Now, launch :

ipconfig /all

and check what your system DNS is now.
Right. You'll be seeing 8.8.8.8 and 8.8.4.4. Great.
This means you PC is now bypassing pfSEnse for all its DNS requests.
So normal that : pfBlockerng-devel doesn't work.

Btw : no joke. Install pfBlockerng-devel on the DNS servers of Google (8.8.8.8 etc) and now this pfBlockerng-devel will work for you.
Please, tell us how that worked out.

Got it ?

SteveITS

@gertjan said in pfBlockerNG 3 not blocking anything:

Firefox

DoH may be a factor, however if OP gets the same (not-blocked) result using nslookup (without specifying a server, hence using the PC's configured DNS) then regular DNS is also an issue on that computer.

@tung2567 re: bypassing DNSBL...on the DNSBL tab open the "Python Group Policy" section and add IPs there. Of course you'd need to be using Python mode. Remember to add IPv6 if you use IPv6, but realize that many programs obtain temporary IPv6 addresses to obfuscate connections a bit. On Windows "ipconfig" will list those but of course they change over time.

Gertjan

@steveits said in pfBlockerNG 3 not blocking anything:

then regular DNS is also an issue on that computer.

That's why I've asked him to check what the 'system' or 'PC' DNS was.

ipconfig /all

will tell him.

There is also a Windows GUI-show-it-to-me-solution :

but my Windows is .... French
It does show :
Sever DNS : 192.168.1.1 (the good old IPv4) and 2001:470:xxxxx:2::1 (the newer IPv6), both are my pfSense LAN.
There shouldn't be any 8.8.8.8 here.

About my Firefox, version 107.0.1 : this should be un checked :

But it doesn't stop there.
Many also missed this info : HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox

Still, look at this :

It's the top most forum post in the "DHCP and DNS" forum section.
Written by some nerd that should know something about the subject.

What happens is : people see ...... bla bla ...... enter DNS here .....bla bla
They enter the only IP they know out of there head : 8.8.8.8
For some, (DNS) fails to work now.
The pfSense GUI initial install wizard is - IMHO - wrong.
It should NOT ask for any DNS details.
Those who need to change the default DNS settings to something else know already why they have to do so - and will be able to what needs to be done.
For the 99.9 % others Don't touch : resolving works of of the box.

Ok, true, this was known in 2018, and we all knew : this will create issues for many in the future.

Sorry for the ramble.

SteveITS

@gertjan Rereading, I confused this thread with the other thread we're both in for the same topic. Sorry. :)