• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfblocker blocking odd requests from pfsense.. i think

Scheduled Pinned Locked Moved pfBlockerNG
10 Posts 2 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • O
    omethe
    last edited by Mar 17, 2023, 3:42 AM

    Hi,

    I'm getting a lot of blocked dns requests from pfblockerng-devel showing what looks like pfsense making dns requests to domains like these. Why would pfsense be trying to lookup/connect to these kinds of domains? I'm using quad9 for my dns on pfsense and pfblockerng-devel so the ns domains are a puzzle.

    Thanks!!

    pfsense.png

    1 Reply Last reply Reply Quote 0
    • G
      Gertjan
      last edited by Mar 17, 2023, 7:07 AM

      @omethe

      I'm seeing the same thing.
      One thing that might explain this, is that I'm using this : Redirecting Client DNS Requests

      As stated over there :

      With this port forward in place, DNS requests from local clients to any external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible

      and the firewall itself == 127.0.0.1

      Btw : I presume you already knew that pfSense will not visit or 'DNS lookup' sites like, for example, bitbucket.org.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      O 1 Reply Last reply Mar 17, 2023, 7:16 AM Reply Quote 0
      • O
        omethe @Gertjan
        last edited by Mar 17, 2023, 7:16 AM

        @gertjan said in pfblocker blocking odd requests from pfsense.. i think:

        @omethe

        I'm seeing the same thing.
        One thing that might explain this, is that I'm using this : Redirecting Client DNS Requests

        As stated over there :

        With this port forward in place, DNS requests from local clients to any external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible

        and the firewall itself == 127.0.0.1

        Btw : I presume you already knew that pfSense will not visit or 'DNS lookup' sites like, for example, bitbucket.org.

        I'm not using that, instead I've just got a floating rule blocking all outgoing requests except for pfsense (but I might just institute your setup). I hope pfsense isn't doing this but I can't seem to find anything pointing toward the source of these requests.

        G 1 Reply Last reply Mar 17, 2023, 7:28 AM Reply Quote 0
        • G
          Gertjan @omethe
          last edited by Mar 17, 2023, 7:28 AM

          @omethe said in pfblocker blocking odd requests from pfsense.. i think:

          I can't seem to find anything pointing toward the source of these requests

          There is a way.
          You can proof that pfSense will never visit any marketo dot com or bitbucket do org by itself.

          Access the console - the real 'comm port' or VGA access.
          You have a switch on your LAN ? Leave it there, and remove all devices from that switch.
          Reboot pfsense with the console.

          When it's up, goto the command line and type :
          tail -f /var/log/pfblockerng/dns_reply.log

          and now wait.
          If there are any DNS requests, they are related to pfSense Netgate itself.
          Or pfBlockerng updating its lists.

          I'm pretty sure there will be no no marketo dot com requests.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          O 1 Reply Last reply Mar 17, 2023, 8:17 AM Reply Quote 0
          • O
            omethe @Gertjan
            last edited by Mar 17, 2023, 8:17 AM

            @gertjan said in pfblocker blocking odd requests from pfsense.. i think:

            @omethe said in pfblocker blocking odd requests from pfsense.. i think:

            I can't seem to find anything pointing toward the source of these requests

            There is a way.
            You can proof that pfSense will never visit any marketo dot com or bitbucket do org by itself.

            Access the console - the real 'comm port' or VGA access.
            You have a switch on your LAN ? Leave it there, and remove all devices from that switch.
            Reboot pfsense with the console.

            When it's up, goto the command line and type :
            tail -f /var/log/pfblockerng/dns_reply.log

            and now wait.
            If there are any DNS requests, they are related to pfSense Netgate itself.
            Or pfBlockerng updating its lists.

            I'm pretty sure there will be no no marketo dot com requests.

            Ok so I did a packet capture on port 53 for a while until one of the entries showed up;

            Mar 17 19:01:13 127.0.0.1
            pfsense-01.home.arpa TLD_A
            DNSBL-python | HSTS_A LAN bitbucket.org VXVault
            DNSBL_Malicious2

            had a look at the packet capture and can't see any dns requests for bitbucket at that time. in fact there were no requests for bitbucket in the capture at all.

            19:00:54.913997 (oui Unknown) > (oui Unknown), ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 64, id 8058, offset 0, flags [none], proto UDP (17), length 93, bad cksum 0 (->4526)!)
            pfsense-01.home.arpa.domain > windows-vm-01.home.arpa.64964: [bad udp cksum 0x164b -> 0x25cf!] 48475 q: A? mclb-gcp.nimbus.bitdefender.net. 1/0/0 mclb-gcp.nimbus.bitdefender.net. A 34.149.211.227 (65)

            19:01:14.099910 (oui Unknown) > (oui Unknown), ethertype IPv4 (0x0800), length 87: (tos 0x0, ttl 64, id 12162, offset 0, flags [DF], proto UDP (17), length 73)
            michael-lt.home.arpa.45362 > pfsense-01.home.arpa.domain: [udp sum ok] 55614+ A? safebrowsing.googleapis.com. (45)

            I'm really not sure where this is coming from?

            G 1 Reply Last reply Mar 17, 2023, 8:34 AM Reply Quote 0
            • G
              Gertjan @omethe
              last edited by Gertjan Mar 17, 2023, 8:38 AM Mar 17, 2023, 8:34 AM

              If nothing is in the local - resolver - dns cache

              I just visited bitbucket dot org with my browser, and saw this :

              e1793722-ab0f-49bf-b106-53d6e82e4a61-image.png

              For me, the answer A and AAAA were served from the resolver cache ( aha ?! ).
              I guess I already visited, directly or indirectly, somehow that site .... in the past.

              I do have :

              67c61ac0-df68-487f-9680-72d0ed4ac981-image.png

              activated, and my unbound / resolver rarely restarts, so it will, ones something is in the dns cache, refresh as soon as TTL becomes zero. That will be the moment that 'pfsense' == 127.0.0.1 == unbound itself will look for bitbucket.org, just to keep zone info it up to date.

              edit :

              Maybe it's a HSTS story.

              [23.01-RELEASE][admin@pfSense.my-local.mess]/usr/local/pkg: grep -R 'bitbucket' *
pfblockerng/pfb_py_hsts.txt:bitbucket.com
pfblockerng/pfb_py_hsts.txt:bitbucket.io
pfblockerng/pfb_py_hsts.txt:bitbucket.org

              and that checks out : bitbucket.* is on the Chrome HSTS is used by pfblockerng :

              Do some reading and clicking here

              d3bf1291-647f-49e1-836d-126c813b2efa-image.png

              ( Please, don't ask me what HSTS is 😊 )

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              O 1 Reply Last reply Mar 17, 2023, 9:08 AM Reply Quote 0
              • O
                omethe @Gertjan
                last edited by omethe Mar 17, 2023, 9:22 AM Mar 17, 2023, 9:08 AM

                @gertjan said in pfblocker blocking odd requests from pfsense.. i think:

                If nothing is in the local - resolver - dns cache

                I just visited bitbucket dot org with my browser, and saw this :

                e1793722-ab0f-49bf-b106-53d6e82e4a61-image.png

                For me, the answer A and AAAA were served from the resolver cache ( aha ?! ).
                I guess I already visited, directly or indirectly, somehow that site .... in the past.

                I do have :

                67c61ac0-df68-487f-9680-72d0ed4ac981-image.png

                activated, and my unbound / resolver rarely restarts, so it will, ones something is in the dns cache, refresh as soon as TTL becomes zero. That will be the moment that 'pfsense' == 127.0.0.1 == unbound itself will look for bitbucket.org, just to keep zone info it up to date.

                edit :

                Maybe it's a HSTS story.

                [23.01-RELEASE][admin@pfSense.my-local.mess]/usr/local/pkg: grep -R 'bitbucket' *
pfblockerng/pfb_py_hsts.txt:bitbucket.com
pfblockerng/pfb_py_hsts.txt:bitbucket.io
pfblockerng/pfb_py_hsts.txt:bitbucket.org

                and that checks out : bitbucket.* is on the Chrome HSTS is used by pfblockerng :

                Do some reading and clicking here

                d3bf1291-647f-49e1-836d-126c813b2efa-image.png

                ( Please, don't ask me what HSTS is 😊 )

                well i've worked out where bitbucket is coming from, one of my blocklists APT1_Report is hosted by bitbucket. But bitbucket is blocked by another list. I've got a few others to sort out.

                G 1 Reply Last reply Mar 17, 2023, 9:52 AM Reply Quote 0
                • G
                  Gertjan @omethe
                  last edited by Gertjan Mar 17, 2023, 9:53 AM Mar 17, 2023, 9:52 AM

                  @omethe said in pfblocker blocking odd requests from pfsense.. i think:

                  one of my blocklists APT1_Report is hosted by bitbucket. But bitbucket is blocked by another list

                  😰

                  Seen that before : the 'pfBlockerng DNSBL or IP feed' that includes the host names or IP's of the source of other feeds.

                  Now I think about it : take this very known DNSBL feed :

                  066b1055-b1fb-4cee-b6a6-9182e74bbe23-image.png

                  It would be a good 'anti shoot in the foot' thing to warn the pfSense admin that the host :
                  raw.githubusercontent.com has been blocked on some other DNSBL list - or on it's own list 😊
                  As soon as all the feeds are loaded, the source host name of all feeds, like raw.githubusercontent.com should be checked if they exist in the entire 'global' list, and warn the user is that's the case.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  O 1 Reply Last reply Mar 17, 2023, 10:00 AM Reply Quote 0
                  • O
                    omethe @Gertjan
                    last edited by Mar 17, 2023, 10:00 AM

                    @gertjan said in pfblocker blocking odd requests from pfsense.. i think:

                    @omethe said in pfblocker blocking odd requests from pfsense.. i think:

                    one of my blocklists APT1_Report is hosted by bitbucket. But bitbucket is blocked by another list

                    😰

                    Seen that before : the 'pfBlockerng DNSBL or IP feed' that includes the host names or IP's of the source of other feeds.

                    Now I think about it : take this very known DNSBL feed :

                    066b1055-b1fb-4cee-b6a6-9182e74bbe23-image.png

                    It would be a good 'anti shoot in the foot' thing to warn the pfSense admin that the host :
                    raw.githubusercontent.com has been blocked on some other DNSBL list - or on it's own list 😊
                    As soon as all the feeds are loaded, the source host name of all feeds, like raw.githubusercontent.com should be checked if they exist in the entire 'global' list, and warn the user is that's the case.

                    or at least have a tickbox option to whitelist the domains of all the feeds added.

                    G 1 Reply Last reply Mar 17, 2023, 10:10 AM Reply Quote 0
                    • G
                      Gertjan @omethe
                      last edited by Mar 17, 2023, 10:10 AM

                      @omethe

                      well, if you add a feed that is hosted 'off-site', some where on the internet I guess you want to be able to resolve that host nam, and not getting a 0.0.0.0 as an answer ..... if not, whats the point of adding / using that host name in a feed URL 😊

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received