Can pfBlocker Sinkhole an Address? Domain Overrides?
-
Does pfBlockerNG have a feature similar to the one I am going to describe? If so, how do I implement it?
I am moving from Pi-hole to pfBlockerNG 3. My Pi-hole is in Ubuntu server in hyper-v on a Windows 10 pro home server. Hyper-V is unstable and sometimes the VM goes down for no apparent reason. I have a failover server and it takes over for Pi-hole when this happens. It's very annoying and happens every couple of months. I have no interest at this time to replace the Windows 10 server with linux. Maybe later.
I used pfBlockerNG long ago and it was rock solid, just a little harder to configure.
Pi-hole has one nice feature. I can sinkhole, rather than block an address.
Sinkholes allows the address to be whitelisted, but redirected to a local made up IP number that goes nowhere.
A blocked Roku address can blast a blocker 1000s of times a day easily. I have several Rokus in the house. Roku had the most blocked addresses on the server until I learned about sinkholes.
- Whitelist the offending Roku Addresses.
- On Local/DNS Records the IP address is entered and associated with an address that will never hit. I use a 192.168.x.x on a different subnet than my home subnet.
- That's it. Roku is still blocked, but it thinks everything is OK.
Roku thinks it phoned home because it didn't detect a block so the DNS flood does not happen. LAN traffic is much lower as a result. It works like a Hosts file redirection. Or so the Pi-Hole documentation says somewhere.
Does pfBlockerNG have a similar feature? If not, does pfSense have a redirect feature like this one?
Edit: Domain Overrides in pfSense appear to do what I want, according to something I looked up. Is this correct? (I am also in the process of reinstalling pfSense on a PC I just ordered. I have been using something else for a while so I can't look it up myself at this time.)
-
@coffeecup25 said in [Can pfBlocker Sinkhole an Address?
Edit: Domain Overrides in pfSense appear to do what I want, according to something I looked up. Is this correct?
No.
pfBlocker will redirect to 10.10.10.1 or whatever you want. DNS sinkholes operate all the same as far as I know.
Also what is the difference to you between block and sinkhole? -
Roku is insidious. Several Roku domains will pummel a network if Roku detects a block vs a sinkhole. As I wrote above, in pi-hole one Roku device will have 1000s of attempts to phone home with telemetry if the device detects a blocked domain. It ignores domains that you sinkholed rather than blocked so the network is far less busy. The sinkhole also works as a block but it is essentially a hardcoded block like a hosts file so it's not practical for many domains.
I have no idea how Roku decides on blocked vs redirected. Perhaps the IP address for the redirect?
A redirect is exactly what I want. I will try it when the new PC arrives and gets put to use. I'll review the config options in pfBlockerNG to see if it's the equivalent to what I described in pi-hole as a special set-up.
-
Sorry, but your suggestion did not work
scribe.logs.roku.com is one of the blocked addresses that floods the pfBlockerNG logs. There are others but this is the worst one.
On Pi-hole I could whitelist the address but aim it down a sinkhole using Pi-Hole's equivalent of a hosts file (see opening post). I want to do the same thing with pfBlockerNG but don't know how.
What is the pfSense equivalent?
Edit: I am trying this. Maybe there's a better way.
- I put the addresses I want to redirect in an alias
- I created a LAN firewall rule that redirected the alias to a made up address on 192.168.x.x
- Whitelist the offenders in pfBlockerNG
Remember, the goal is to block while making Roku think it's not being blocked. Then it will stop flooding the LAN.
We'll see.
-
@coffeecup25 First you could delete the VIPs created by pfBlocker and see if this helps you. But they will be recreated by update reload or maybe even at every update.
-
@Bob-Dig Thanks, but I am looking for something as seamless as I had it with pi-hole.
I have my new pfSense router installed and working. It's a new 2.5gb i226 Chinese PC. I had a shuttle DS68U a while ago and replaced it with a TP-Link ER605, which is a nice router. Simple but it does the job, mostly. I went back to pfSense because I needed failover from Hyper-V Ubuntu Server Pi-Hole. Also, I like having more than 1 Admin with pfSense. Pihole has a much nicer interface, however.
Now I have Hyper-V / Pihole failing over into pfBlockerNG. A nice temporary fix.
I'll configure the new pfSense PC for a while, then build an R&D home server with Linux. If it does the job I need I will replace both Windows home servers and be done with them as too unreliable.
-
@coffeecup25 said in Can pfBlocker Sinkhole an Address? Domain Overrides?:
@Bob-Dig Thanks, but I am looking for something as seamless as I had it with pi-hole.
Have you tried Host Overrides? I don't know if they have a higher priority than what pfBlocker does.
-
Not Host Overrides yet. I'll look into it. Thanks.
Also, I added point 3 above a minute ago. Whitelisting the offenders in pfBlockerNG will hopefully allow the LAN Rule to do the same thing. Sorry.
-
@coffeecup25 I just tried it and it worked, for now. No pfBlocker webpage is delivered, a timeout occurs instead. That seems to be what you want.
-
Thanks A Lot. This could be a big deal for all pfBlockerNG users who use Roku and hate all the pollution Roku adds to LAN traffic.
-
@coffeecup25 said in Can pfBlocker Sinkhole an Address? Domain Overrides?:
who use Roku and hate all the pollution Roku adds to LAN traffic.
I never heard of that problem, maybe there are other ways to cope with this.
-
A review of your block logs will show lots and lots of calls to a select few Roku addresses. pfBlockerNG logs are not as clear as Pihole logs nor as comprehensive. Pihole shows blocked and passed DNS queries. pfBlockerNG only shows blocked, although that should be enough for this purpose.
Most people don't care, I assume, if the network works OK. But Pihole's more comprehensive logs show how badly Roku pollutes the LAN. I never saw it until I switched over to Pihole a few years ago.
AdGuard Home has nice looking screens, but my short visit to AdGuard Home showed Pihole was more granular, just not as pretty.
If I get the Linux servers working (one main home server and one for backup) then Pihole should be rock solid compared to using a Hyper-V VM. pfBlockerNG will be for last line failover. Under Hyper-V, both Pihole servers failed and the network when down. Never again. Hyper-V is a nice, but Windows makes it too unreliable with all the ads it pushes as it forces unattended reboots.
-
@Bob-Dig yeah. Same.
I’ll be honest with you I’ve never had a problem on my LAN blocking Roku telemetry. Nothing is slow. Monitoring shows traffic avg around 120Mb each day. Guess I’m…. Lucky?
-
I agree that the roku blocked address flood does not slow things down noticeably. But it's pollution when you can see a list of every address passed or blocked during a set time period. Especially if you have more than 1 roku device in the house. A large percentage of the entire Lan traffic is a select few roku blocked addresses for a few seconds all day long. Pihole even gives out '1000 dns query warnings' sometimes on my LAN - or at least did until I figured out how to trick Roku. I eliminated about 10,000 queries a day by redirecting a few addresses.
However, this flood is not obvious when all you see are blocked addresses. By being able to see passed addresses, by reducing roku dns pollution I can easily see which ones should be blacklisted individually when problems occur, along with which blocks are way too aggressive.
-
@coffeecup25 You could enable "DNS Reply Logging" in pfBlocker for that.
-
Follows is my final solution. It appears to work well.
The problem to solve: pfBlockerNG blocked many addresses repetitively. It appears that 80% of the blocks came from 20% of the dns addresses. I considered that as pollution. Streaming TV is the worst offender.
The objective: Continue blocking these addresses, but take them out of pfBlockerNG so lists show everyone except the usual suspects.
The solution:
- Identify the polluting dns addresses and put them in an alias
- Create a LAN rule that blocks the addresses in the alias from ever leaving the network
- Whitelist the offenders in ofBlockerNG so the LAN rule gets them instead.
Blocking still works very well and pfBlockerNG is bypassed entirely for those addresses.
You must reload DNSBL after these changes for pfBlockerNG to know about them.
-
J jrey referenced this topic on
-
This post is deleted!
