Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG-devel Not Blocking Malvertizing on LAN

    Scheduled Pinned Locked Moved pfBlockerNG
    54 Posts 7 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newUser2pfSense @Gertjan
      last edited by newUser2pfSense

      @gertjan I read the post your provided. I am forwarding, at least the way I read the entry for the checkbox, "If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup...", because I thought pfSense would use the DNS servers that I want it to use, not my ISP DNS servers, but the ones that I define only. I'm not a big proponent of using the Google's DNS servers or my ISP's DNS servers. I'm glad that pfSense gives me a choice. Anyway, maybe I have the incorrect understanding of the language for that checkbox. Here is my DNS Forwarder page. Now I'm a little confused. I don't have it selected so I'm not forwarding?
      DNS Forwarder.png

      Before I uncheck Enable DNSSEC Support, I just want to make sure I understand (remember, I'm no network guru) that the unbound DNS Resolver does DNSSEC already?

      GertjanG 1 Reply Last reply Reply Quote 0
      • F
        FrankM @Gertjan
        last edited by

        @gertjan

        And then they wonder why we try to block their snooping!

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @newUser2pfSense
          last edited by

          @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

          Here is my DNS Forwarder page. Now I'm a little confused. I don't have it selected so I'm not forwarding?

          pfSense contains an forwarder, dnsmasq (the name of the process).
          It still present and isn't activated by default. You don't need to use the forwarder (and if you do, disable the resolver/unbound first with the top most check box on it's settings page !). See it as as a extra possibility to do "DNS".

          Unbound, the resolver can do both. So unbound can resolve, or forward.
          The checkbox discussed above is the main switch between these two functionalities.
          It can resolve, that's why pfSense included it several years ago, and it can do forwarding for those who like to do, have no choice, or whatever.

          @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

          at least the way I read the entry for the checkbox, "If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup...", because I thought pfSense would use the DNS servers that I want it to use, not my ISP DNS servers , but the ones that I define only.

          And you are correct.

          @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

          Before I uncheck Enable DNSSEC Support, I just want to make sure I understand (remember, I'm no network guru) that the unbound DNS Resolver does DNSSEC already?

          See it like this :
          If you want to use DNSSEC you need to use the unbound as a resolver, not a forwarder.
          To answer the question : why is this so ? you need to understand what dnssec is, what it isn't.
          Just keep in mind what's easy to remember : dnssec needs resolving, not forwarding.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          N 1 Reply Last reply Reply Quote 0
          • N
            newUser2pfSense @Gertjan
            last edited by newUser2pfSense

            @gertjan Maybe I should have asked it like this. Seeing I have Cloudflare DNS servers entered in pfSense to use instead of any others, in Services > DNS Resolver > General Settings, if I uncheck DNS Query Forwarding - Enable Forwarding Mode, will pfSense continue to use the Cloudflare DNS servers I entered or different DNS servers?

            As well, from the below screenshot, apparently if I uncheck Enable Forwarding Mode, the box right below, Use SSL/TLS for outgoing DNS Queries to Forwarding Servers, my DNS queries will no longer be encrypted? Do I have to uncheck that as well or if it remains checked, will my DNS queries still be encrypted?
            DNS Query Forwarding.png

            I did a test with DNS Leak Test dot com [https://www.dnsleaktest.com/]. I found that with the Enable Forwarding Mode checked, this is the result of the Extended Test:
            DNS Leak Test.png

            When I uncheck the Enable Forwarding Mode, the DNS Extended Leak Test shows:
            DNS Leak Test 2.png

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @newUser2pfSense
              last edited by

              @newuser2pfsense
              When you use "Cloudflare DNS servers", you are not resolving, but forwarding to an upstream DNS resolver.
              Cloudflare DNS is a resolver.
              Added to that, Cloudflare DNS servers supports DNS over TLS.

              When unbound is in the default Resolving mode, TLS, port 853, is 't available, as as far as I know, root and tld servers, and most domain name servers, don't support this mode yet.
              Root servers (13 of them, and all there CDN's over the world) typically only receive "where are/is the DNS = TLD that handles dot com" (if you were asking domain.com). Then a TLD server would handle "where is the domain name server of domain.com" - and finally a domain name server would handle your entire request.

              While TLS isn't available when resolving, DNSSEC is, which mans that you can be sure of the received data, that it wasn't get spoofed. For those domains that support DNSSEC, that is.

              Btw : supporting TLS while doing resolving means that every server in chain must support TLS. That will need a 100++ fold processing increase load on every server in the chain.

              Cloudflare, Google DNS support TLS, as for them, the DNS service, while you are not paying, they make a revenue out of it, as your data is 'value' to them that can be sold.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              N 1 Reply Last reply Reply Quote 0
              • N
                newUser2pfSense @Gertjan
                last edited by

                @gertjan Thanks for all of the explanations. It helps. So I've unchecked Enable Forwarding Mode and kept the other boxes checked such as Enable DNSSEC Support and Use SSL/TLS for outgoing DNS Queries to Forwarding Servers. Hopefully this is OK?

                Interestingly though, I'm still getting a 127.0.0.53 using nslookup.
                Using Firefox on my LAN, email malvertising images are still coming through. Maybe it's a Firefox and Gmail thing?

                On my iPhone, I'm using Apple's native email app. Maybe this is why malvertising is blocked when displayed through this email app when checking my Gmail?

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @newUser2pfSense
                  last edited by

                  @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                  nd kept the other boxes checked such as Enable DNSSEC Support and Use SSL/TLS for outgoing DNS Queries to Forwarding Servers. Hopefully this is OK?

                  Unbound can't do DNSSEC, as DNSSEC needs resolving, not forwarding.

                  @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                  I'm still getting a 127.0.0.53 using nslookup

                  Running nslookup on which device ?

                  @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                  Using Firefox on my LAN, email malvertising images are still coming through. Maybe it's a Firefox and Gmail thing?

                  Well, Firefox can decide, according settings, to do it's own DNS, totally bypassing pfSense.
                  Check FF settings.

                  @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                  On my iPhone, I'm using Apple's native email app. Maybe this is why malvertising is blocked when displayed through this email app when checking my Gmail?

                  The iPhone email app, the iPhone uses probably the DNS it got from pfSense, which is unbound. As unbound uses pfBlockerNG as a filter, now it works.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • N
                    newUser2pfSense
                    last edited by

                    @Gertjan
                    When I run nslookup using a host on my LAN is where I get the 127.0.0.53 below:

                    nslookup google.com
                    Server: 127.0.0.53
                    Address: 127.0.0.53#53

                    When I go to pfSense > Diagnostics > Command Prompt and run nslookup, I get the following:

                    Shell Output - nslookup google.com
                    Server: 127.0.0.1
                    Address: 127.0.0.1#53

                    Ive checked my Firefox settings and I believe it to be using the correct settings. Hmmm ☹ .

                    So this is where I'm still a bit confused... I left the box DNSSEC checked and I unchecked the box Enable Forwarding Mode.
                    DNSSEC.png
                    DNS Query Forwarding.png

                    Unbound can't do DNSSEC, as DNSSEC needs resolving, not forwarding.

                    If I unchecked Enable Forwarding Mode, is it resolving? If it's not resolving, what do I need to configure and where? What boxes do I need to check? I seem to be missing something here.

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @bingo600
                      last edited by

                      @Gertjan
                      Per an above post 127.0.0.53 is:

                      Linux systemd "DNS Resolver daemon"

                      Hence I had suggested using "nslookup site_name 192.168.1.1" to test a particular site that should be blocked.

                      If it works (is the blocked IP) while forcing the use of 192.168.1.1, then pfBlocker is working as designed.

                      If it does not work using 127.0.0.53 then that daemon is apparently not using 192.168.1.1.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @newUser2pfSense
                        last edited by

                        @newuser2pfsense

                        Linux host ?
                        Type in the magic command that shows what name server it is using :

                        cat /etc/resolv.conf
                        

                        It probably tells you
                        127.0.0.1

                        so you have a process listeing on port 127.0.0.1:53 that handles DNS for your host.
                        This could be, for example, bind, or dnsmasq, or, why not, unbound.
                        This bind, or dnsmasq, or, unbound can
                        For unbound and bind : resolve - thus complely bypassing pfSense.
                        Or, for bind, or dnsmasq, or, unbound : forward to your upstream pfSense = 192.168.1.1, or to 8.8.8.8, or whatever. ask the administrator of your Linux host what he has decided.

                        @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                        If I unchecked Enable Forwarding Mode, is it resolving?

                        Yes, that's the pfSense default setting, resolving.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        N 1 Reply Last reply Reply Quote 0
                        • N
                          newUser2pfSense @Gertjan
                          last edited by

                          @gertjan
                          On pfSense, cat /etc/resolv.conf :

                          Shell Output - cat /etc/resolv.conf
                          nameserver 127.0.0.1
                          nameserver 1.1.1.1
                          nameserver 1.0.0.1

                          On a Linux host on my LAN, cat /etc/resolv.conf :

                          nameserver 127.0.0.53

                          It's good to know that I'm now resolving.

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan @newUser2pfSense
                            last edited by

                            @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                            hell Output - cat /etc/resolv.conf
                            That file doesn't tell you if you resolve, or forward.
                            It informs the system about the IP addresses where DNS requests can be send.

                            @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                            It's good to know that I'm now resolving

                            So you can remove these : 1.1.1.1 1.0.0.1 from System >General Setup > DNS Server Settings

                            On your Linux host : who listens on 127.0.0.53 ?
                            If it is a process called dnsmasq then it forwards to some [ see dnsmasq settings ]
                            If it is bind, then it could do what does bind best : it resolves, which means it bypasses completely pfSense. bind can also be set up to forward to .... who ever you want. Could be pfSense, or some Alfabet company.
                            If it is unbound, .... same thing, look at the settings.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            N 1 Reply Last reply Reply Quote 0
                            • N
                              newUser2pfSense @Gertjan
                              last edited by newUser2pfSense

                              @gertjan I removed the Cloudflare DNS server IP addresses. I also followed the instructions from this site [https://b3n.org/hijacked-slow-dns-unbound-pfsense/] for setting up unbound on pfSense. It states "Under Services > DHCP Server, set your DNS Server to your pfSense’s LAN IP. As your DHCP clients renew their lease they’ll start using pfSense for DNS." Seeing I have a LAN and WLAN in Services > DHCP Server, do I set each one respectively to each of their DHCP Server adddress as below?

                              LAN
                              LAN DNS Server IP Address.png

                              WLAN
                              WLAN DNS Server IP Address.png

                              I remember when I very first configured pfSense when I knew nothing at all about it and was learning, I had searched for internet access rules because at the time I couldn't reach the internet (I did the search on my cell phone at the time as I recall). For my LAN and WLAN, I read a post from the search and I created 2 rules on both my LAN and WLAN (the image is for my LAN but it's the same on my WLAN):
                              Internet Access Rules.png
                              I'm wondering if these 2 rules have anyting to do with the 127.0.0.53?

                              I'm reading on this page [https://medium.com/@davetempleton/setting-up-dns-over-tls-on-pfsense-bd96912c2416] that I should be blocking port 53. I tried doing that by disabling the rule in the image above and I couldn't get to the internet so I had to re-enable it.

                              Interestingly, the DNS resolver listen port is 53:
                              Listen Port.png

                              Now I'm wondering by following the 2 sites I listed above, something may not be configured correctly. I haven't seen any malvertizing blocked using my iPhone's mail app where it was doing it before.

                              @SteveITS I haven't overlooked your response to this being the Linux systemd "DNS Resolver daemon".

                              GertjanG 1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan @newUser2pfSense
                                last edited by Gertjan

                                @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                                I'm reading on this page [https://medium.com/@davetempleton/setting-up-dns-over-tls-on-pfsense-bd96912c2416] that I should be blocking port 53
                                Several conditions mus be valid when you want to use TLS over DNS.

                                TLS over DNS to a "TLS over DNS capable server (resolver) ": unbound must be in forwarding mode.
                                Select a TLS over DNS capable server, like 1.1.1.1.

                                First, set :

                                da7e9d1f-772b-4bd9-aeef-34f1280dc3cc-image.png

                                Set these two options :

                                3d9116df-2a01-459d-a625-5a451294d9d4-image.png

                                And test, using https://1.1.1.1/help

                                9ccb64a6-f4ee-49ec-8d0a-1526765c98d8-image.png

                                Done

                                To use TLS over DNS on your local network :

                                Activate :

                                a2103fe1-54dc-4115-bfc0-4e0280e5d791-image.png

                                and now visit each device on your network, and make it use DNS over TLS using port 853.

                                For example, out of the box : Windows 10 can't do "TLS over DNS" (you need to install extra software). I've 'heard' that Windows 11 Pro can do it.
                                My iPhone : dono, I should look that up. Other pHones : never used them.


                                53b80c35-948c-4094-af1d-73e85a252b3a-image.png

                                Great !

                                You've considered using this rule :

                                388479e7-0a37-4a22-b3f9-286a43d879f7-image.png

                                it always works, for everything.

                                About DJCP server settings :

                                For example, my WLAN network (my captive portal network) :
                                I'm using 192.168.2.1 as a DNS server, like you.

                                eab3311c-e219-4179-9dfd-879c0ee546ec-image.png

                                I've set 192.168.2.1 for good manners, but I presume We don't even need to do this.
                                As the DHCP server is set up to run on the 192.168.2.x network, it will include it's own IP as the DNS server, as my resolver listens to 192.168.2.1 (I've select 'All' interfaces on the resolver settings page)

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                N 1 Reply Last reply Reply Quote 0
                                • N
                                  newUser2pfSense @Gertjan
                                  last edited by

                                  @gertjan Ok. So I have everything configured for unbound resolving now -
                                  In System > General Setup > DNS Server Settings, I've removed all DNS server IP addresses.
                                  In Services > DHCP Server > LAN & WLAN tabs > Servers > DNS Servers, I've removed the .1.1 and .2.1 DNS server IP addresses that I listed previously.
                                  In Services > DNS Resolver > General Settings, I have set the below, however, I did not intentionally enable the Python Module - I don't know how it was checkmarked unless pfSense somehow checkmarked it for me for some reason. I'm not sure it should even be checkmarked. Any ideas???
                                  Resolver General Settings.png

                                  When all of these settings were initially set and applied, pfBlockerNG wasn't blocking any iPhone mail app email malvertizing. A pfSense reboot solved that issue. This is back to normal.

                                  For my LAN using Firefox, there must be some setting I'm missing that's allowing the malvertizing through. I'm not sure what that setting would be though.

                                  The one thing I didn't want to do was use my ISP's DNS servers or the Google's DNS servers. That's why I was using Cloudflare DNS servers and forwarding. Cloudflare seems more secure to me. I don't know what Verizon can see with my internet traffic using unbound resolving???
                                  Verizon.png

                                  GertjanG 1 Reply Last reply Reply Quote 0
                                  • GertjanG
                                    Gertjan @newUser2pfSense
                                    last edited by Gertjan

                                    @newuser2pfsense

                                    Resolver settings :
                                    Clear also the second one :

                                    495b1a3e-bc8a-4866-8122-2916efcefa91-image.png

                                    But harmless as firawarings want activated.

                                    Set this one :

                                    d2aa875c-03aa-45db-918d-1f6b48cca471-image.png

                                    As static leases don't influence unbound, they are read in when the system boots, or when you you add a static lease, which is rare.

                                    @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                                    The one thing I didn't want to do was use my ISP's DNS servers

                                    Normally, you don't use the DNS obtained by a WAN DHCP lease, as this settings is unchecked :
                                    85d7e0c0-9e6e-44b9-941f-aece2fd7baee-image.png

                                    If the DHCP WAN lease from an upstream ISP router, or if the your ISP gives you a WAN DHCP lease, unchecking this option will pfSEnse discard DNS servers.

                                    252ef004-d4d3-4def-9c0e-46e014808d17-image.png

                                    Are you sue ? pool with a dash ? ( pool- )

                                    243f97f4-90af-4007-8d18-b68b5ed6a517-image.png

                                    Use the default : Select "All".

                                    No "help me" PM's please. Use the forum, the community will thank you.
                                    Edit : and where are the logs ??

                                    N 1 Reply Last reply Reply Quote 0
                                    • N
                                      newUser2pfSense @Gertjan
                                      last edited by newUser2pfSense

                                      @gertjan The pool with a dash (pool-) was me redacting my WAN IP address right after the dash.

                                      I've checked all of my settings we've discussed for unbound resolver in pfSense. My pfSense should be good now.

                                      I'm not sure what Firefox settings should be enabled/disabled for malvertizing to be blocked on my LAN. I may just have to live with it.

                                      I'm still not sure how the Python Module was enabled in the Services > DNS Resolver > General Settings. I didn't enable it. What should I do with this setting?
                                      Python Module.png

                                      GertjanG S 2 Replies Last reply Reply Quote 0
                                      • GertjanG
                                        Gertjan @newUser2pfSense
                                        last edited by

                                        @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                                        I'm still not sure how the Python Module was enabled in the Services > DNS Resolver > General Settings. I didn't enable it. What should I do with this setting?

                                        It should be set to 'active' (checked).
                                        pfBlockerNG-devel works 'better' when using Python mode.

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          SteveITS Galactic Empire @newUser2pfSense
                                          last edited by

                                          @newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

                                          not sure what Firefox settings should be enabled/disabled for malvertizing to be blocked on my LAN

                                          For Firefox specifically see https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs#w_will-users-be-able-to-disable-doh but since nslookup using 127.0.0.53 bypasses the block it would seem that's not Firefox related, and DNS on the computer is bypassing pfSense.

                                          There are also feeds in pfBlocker to block DoH, and a choice on its "DNSBL SafeSearch" tab. I used a feed because I found out the Dish (satellite TV) "on demand" feature uses only DoH even though the rest of the DVR uses DNS, so I had to allow that device out.

                                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                          Upvote 👍 helpful posts!

                                          N 1 Reply Last reply Reply Quote 0
                                          • N
                                            newUser2pfSense @SteveITS
                                            last edited by newUser2pfSense

                                            @Gertjan
                                            Firewall > pfBlockerNG > DNSBL
                                            Unbound python mode.png

                                            Services > DNS Resolver > General Settings
                                            Enable Python Module.png

                                            @SteveITS
                                            Thanks for the response. A little further research has found that my Linux Mint 21 Cinnamon OS has the 127.0.0.53 in the resolv.conf file for whatever reason. I'm trying a fix I found on the interwebs from this URL and it worked:
                                            https://askubuntu.com/questions/1012641/dns-set-to-systemds-127-0-0-53-how-to-change-permanently
                                            I'm now able to get my 192.168.1.1 DNS server IP when running an nslookup. However, it hasn't resovled the issue of removing malvertizing images from my LAN gmail emails.

                                            GertjanG 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.