Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?

Gertjan

@sgw said in Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?:

On a 7100 with 8GB RAM it should be possible, I assume?

As the newer "6100" : 8G also.
And yes, I presume.

SteveITS

@sgw said in Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?:

I wonder if I have to adjust the default settings there also:
Firewall Maximum States: 811000
Firewall Maximum Table Entries: 403001

a few notes...

OP had another thread...the PHP process memory limit is by default set at 512 MB on amd64 (Intel compatible) and 128 MB on everything else.

Long ago I picked up somewhere here, IIRC from the package maintainer, to set the table entries at least at 2 million if using pfBlocker. Of course it depends on the number of entries needed so adjust up if necessary.

There is a long standing bug where the text for the "default" table entry size is whatever number you have typed into the field.

provels

FWIW, now that I have real hardware, with 16GB and an i7, I thought I'd try loading the UT-1 adult list. Odd that it doesn't even block Pornhub!

Gertjan

@provels said in Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?:

FWIW, now that I have real hardware, with 16GB and an i7, I thought I'd try loading the UT-1 adult list. Odd that it doesn't even block Pornhub!

This time, it seems to work for me :
Selected :

login-to-view

A save - Reload - and took some time, and I'm sure it wasn't my new Gbit fiber connection.
My 4100 went in overdrive mode again.
Anyway, the process finished, unbound was restarted. Happy end.

Here it is :

login-to-view

Wt* 4 and a half million entries ....

Show time :

[23.01-RELEASE][admin@pfSense.pain-just-pain.hurt]/root: nslookup
> pornhub.com
;; communications error to 127.0.0.1#53: timed out
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   pornhub.com
Address: 10.10.10.1
;; Got SERVFAIL reply from 127.0.0.1, trying next server

Ok, got a 10.10.10.1.

The last line isn't promising at all.

login-to-view

Ok, no AAAA for porn....

Last time when I was testing, ifconfig told me that interface lo0, 127.0.0.1 was gone, which is just plain catastrophic.

I'm removing the adult list, this is just to scary.

@provels can you please come over here and explain my wife why I'm posting about this porn site. She doesn't 'trust' my explanation ... (she doesn't read English neither).

edit : You could still visit that site with your browser .... maybe because your browser (and OS, local DNS) didn't need to ask 'pfSense' to resolve the domain. As it already had the answer ....
So that might explain why it still showed up.
Or your device doesn't use pfSense for DNS ?

I tested with nslookup on pfSense, after flushing the local unbound dns cache, and tailed /var/log/var/log/pfblockerng/dns_reply.log to check if pfblockerng was asked to resolve te site, and what it answered.

provels

@gertjan Tell her it's just business. Monkey business...

No, I use pfB and pfS for DNS. I have had the list in effect for about a week, and machines have been rebooted. I'm blocking DoH with several lists, too. Not whitelisted. I think it's the UT1 list... It's only me here so just playing around with lists.
login-to-view

Gertjan

@provels
login-to-view

Noop.
Look for

login-to-view

provels

@gertjan Oh, sure, there's a bunch of those, but I think www. is what folks think of first on this side or the planet!

mpfrench

To summarize this thread, the answer to the question posed in the title is that the 1100 will not run the DNSBL UT1_Adult.

I cannot get my 1100 to load DNSBL UT1_Adult.

@sgw cannot get a 3100 to load UT1_Adult.

@provels can get UT1_Adult to load on an i7 with 16 GB RAM.

@Gertjan can get UT1_Adult to load on a 4100 (4 GB RAM) as well as an i5 with 16 GB RAM.

@Gertjan found that UT1_Adult did not block pornhub.com and the list has 4.5M entries.

My conclusion is that implementing UT1_Adult is not worth the effort on any hardware. Furthermore, if one wants to block adult content, one should forward DNS quires to a "family" DNS service such as one run by OpenDNS[208.67.220.123, 208.67.222.123] or Cloudflare[1.1.1.3, 1.0.0.3], both of which are quite capable of blocking adult content.

provels

@mpfrench Certainly applies to the 1100. The 1100 does what it does well, providing basic protection. But 1GB RAM will never go very far. And I've never seen ANY application or OS get smaller with time. But if the resources are there, there's nothing wrong with running it. And other blocklists for adult sites are available. Also, you can create your own custom lists as needed should something be slipping through. And pfB uses deduplication to help minimize the clutter. But those features take resources without a doubt. Fact is, there are probably several dozen either malicious or adult sites created in the time it's taken me to type this. If you want to set/forget, 3rd party DNS is the way to go. but many in this community are gearheads that enjoy tolerate endure accept the maintenance of their environment. Anyway, sounds like you arrived at the right conclusion. Best luck.

Gertjan

@mpfrench said in Is it Possible to Run the DNSBL UT1_Adult on a Netgate 1100?:

@Gertjan found that UT1_Adult did not block pornhub.com and the list has 4.5M entries.

Correct. The first time I tried, using dnsbl at the end of (huge) list didi resolve to the real IP, not 0.0.0.0 ( I don't forward to 10.10.10.1 = internal pfB web server as https can't be redirected so the browser error will get shown ).
I saw that the complete pfBlockerNG reload / force all didn't terminated with a " UPDATE PROCESS ENDED", it just stopped somewhere in the middle, leaving the process in a undefined state.

Several days later, I redid the test, it took close to 10 minutes to finish, but it did finish this time. Now, it blocked dnsbl from the UT1 list.

Again : using a 4100 with 4 Mbytes of ram.

I share your conclusion.