Not able to block facebook website

jrey

@rajukarthik

Okay so in the case of the netgate the response is coming from google. (8.8.8.8) that response won't go through the DNSBL

From the client (a windows box it appears) the response is coming from RT-AX3000-4B90 (192.168.50.1) what device is that? IF this is your Netgate share the settings you have for the DNS Resolver

You likely just need to reconfigure DNS so that your Netgate is in the line and able to resolve addresses, without the direct responses from other DNS servers - a SERVFAIL will allow the others DNS to provide the answer and therefore by pass the DNSBL if they are available

Diagnostics -> Command Prompt (enter the following command)

dig facebook.com

what do you get ?

NogBadTheBad

@jrey It could be the clients are doing DNS over HTTPS.

It might be better using pfBlocker, using Facebooks ASN numbers and creating an alias to use in a firewall rule outbound.

jrey

@NogBadTheBad

could be, but that wasn't the question, and
the plain DNS response shown thus far are all standard DNS responses

on a properly configured system even if a client asks for a specific external server for the answer - the result should be DNSBL

@LUBUNTU:~$ dig @8.8.8.8 facebook.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @8.8.8.8 facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23049
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           60      IN      A       0.0.0.0

;; Query time: 44 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Nov 22 09:40:41 EST 2023
;; MSG SIZE  rcvd: 57

So even though dig on the client "thinks" server 8.8.8.8 responded, it did not.

DNSBL-python,Nov 22 09:29:30,facebook.com,127.0.0.1,HSTS_A,TLD_A,DNSBL_Socials,facebook.com,Socials_custom,+

NogBadTheBad

@jrey Not denying that

JonathanLee

Other options you can use..

You can use Snort with an open AppID custom text rule for Facebook and just set it to block.

Or my favorite Squidguard with Squid and add Facebook to the block list. But Squid is not really recommended because of it's level of complexity.

Gertjan

@rajukarthik said in Not able to block facebook website:

@jrey I tried it but still facebook is accessible. Could you please help

I can and will help.

I just tried what has been said in the other thread, notably by BBcan177, author of pfBlockerng.
As I have pfBlockerng installed, it tried blocking using "ASN".

I've created :

And saved.
And reloaded the config.

I knew "ASN" is just a list of IP networks, so I wasn't surprised to see this :

and it did't take long.
You had to be there to believe it : some one was already yelling in the buidling that 'Whatapp" stopped working.

Btw : my Whatapp phone app showed me this :

So, sorry @rajukarthik I disagree.
"It works for me ...".
Please tell us what you did.
Or check what I did - I've posted images, and happy to post more details.

edit : and now they come to me ..... I'll better undo this "ASN 32934" blocking fast, as I don't want to sleep in the dog house this evening.

jrey

Of course blocking the ASN directly will work, but what happens when the OP chooses to add other DNSBL rules or features ?

Doesn't appear to me from what has been provided that the DNS path is correct and therefore any client will simply bypass whatever other features of DNSBL may be selected (now or in the future) not just facebook.
Maybe that's important / maybe not.

NogBadTheBad

@jrey said in Not able to block facebook website:

Of course blocking the ASN directly will work, but what happens when the OP chooses to add other DNSBL rules or features ?

If the OP was trying to block another ASN he could add it to his original pfblocker rule or just create a new alias and new firewall rule.

If you look at my example I block multiple ASN numbers.

The advantage of using pfblocker is its blocking the destination rather than a lookup of the destination

jrey

@NogBadTheBad

You're missing the point, I think -- what if the OP (who said he was new to pfSense) decides he wants to block (say for example ADs) by selecting another DNSBL list.

Last I checked ADs basic alone listed some 158,000+ items, are you suggesting that ASN is the only way to go ??? I suspect that is not the case you are trying to make.

Having a properly working DNS from client to resolution is critical. But you can certainly block facebook with the ASN and then wait for the next question of "I selected (x y or z) and it doesn't work, can you help me?"

Blocking the ASN will certainly work to just block facebook. Just doesn't seem to me to be the underlying question.

just like blocking "facebook.com" isn't all that is required to block facebook. Blocking only their specific ASN doesn't block them entirely either. They like most, also have IP space that is not in directly in their ASN block.

Twitter is really good at this, (not that facebook isn't) they have multiple domains that are embedded everywhere that aren't in any of the twitter registered ASN blocks.

None of the solutions is 100%, but surely we must agree that 0% on the dns front is less than ideal. For laughs I just checked one of the known twitter twit spaces and the IP is actually in the ASN for Akamai International.

Each to his own.

JonathanLee

@jrey Use Squid Proxy and splice it as transparent mode, install Squid guard and create a rule to block facebooks urls. Any get request will be blocked from the start. No need for DNS resolving it simply blocks the URL http get request. I suspect your DNS is being accessed with DoT DoH DNS over TLS, and many other experimental protocols. A great way to block is in the http get requests works 100% of the time. Just make it simple with transparent mode.

jrey

@JonathanLee

I think you are directing your response to the wrong person. I don't have any issue with blocking or DoT, DoH or DNS over TLS or blocking any url if or as required.

The OP on the other hand stated is just learning pfSense. Do you think that Squid Proxy and splice are the way to direct the OP to start, given that basic DNS traffic flow seems to be a challenge, from what has been provided.

But then on the other hand do you ever stop for a minute and wonder why your 2100 is so bloated ? or I think as you put it "I was bogged down so much I had to go back to the last stable version.".

Just because you can, doesn't mean you should or even need to.

https://forum.netgate.com/topic/184125/23-0-5-1-23-09-issues-sg210max?_=1700684164315

Rest assured it is not the device or 23.09. It is likely the laundry list of packages you are running, as listed the thread referenced.

I run 30-60 (varies, typical day ~40 (the arp table currently has 45 entries)) client systems behind a 2100 and although yes there has been a slight increase in Memory usage with 23.09 it is rarely above a 15% baseline, where under 23.05.1 was running around 12%

Do whatever works for you. Suggesting more bloat likely not a good choice for most people.

JonathanLee

@jrey

I was unaware this user is just starting out. This user is having issues blocking items. I simply provided a different package option. Just simply show casing the other options. Yes I am still running 23.05.1 it's the most stable version I have seen. 23.29 has response time issues for my 2100 alongside Snort's core dump errors. Keep in mind avg memory utilization for me is 20-30% without ClamAV per TAC support I was told it runs better without ClamAV. I agree if DNS blocking is a problem to configure Squid would be very overwhelming. Snort's AppID would be very simple with use of text rules also however Snort on 23.29 does not currently work because of core dumps. It's not just me that has 23.29 issues some packages like Snort do also. If you run the system in bare bones I am sure 23.29 is fine, again, I like to push the 2100's limits because it can do it and has been. It might be Snort's core dumps that caused my issues.

The 2100 is amazing the size of it and all it can do... Wait until the Broadcom BCM2712 quad-core Arm Cortex A76 processor is put into something....Bloat will be nill.

rajukarthik

@jrey
RT-AX3000-4B90 is my wifi router. I had accessed Pfsense gui via VPN yesterday.
Now i have connected my laptop to the pfsense lan directly and posting the screenshots for your reference.

Also I have disabled DNS resolver in my PFsense firewall.
Screenshots for your reference.
I also request you to kindly let me know how to add website entries in dnsbl to block it. I feel I had made mistake in DNSBL entries too.

Thanks and Regards,
Karthik

Gertjan

@rajukarthik said in Not able to block facebook website:

Also I have disabled DNS resolver in my PFsense firewall.

Then who is doing the DNS for your networks ?
Disabling the resolver also disables pfBlockerng.

Things get even better :

In the top of the image you can see that 192.168.3.3 was answering (port 53 == DNS) over UDP.

But unbound was stopped ?!?

Who is 192.168.3.3 ?

---

This :

can be explained.
if 'facebook.com' was resolved ones in the past, the resolver keeps the result in it local DNS cache for 'some time' (ok, true : "300" or 5 minutes ... depending your unbound settings).
Ones in the cache, pfBlockerng can't help you anymore : unbound (resolver) will reply directly out of his cache, hence the very fast "3 ms" answer time.
If facebook.com wasn't present in the resolver cache, the resolving will resolve, and this resolving will get parsed by 'pfBlockerng' ..... and thus blocked.

General advise : when you handle 'DNS stuff', on pour PC :

ipconfig /flushdns

as your PC is also doing DNS caching.

On pfSense, for good manners : stop and start unbound - the resolver, from the dashboard GUI. This will flush the pfSense resolver DNS cache.

rajukarthik

@Gertjan Actually 192.168.3.3 is my cisco router. I have configured Pfsense firewall after cisco router.
I have configured 8.8.8.8 and 4.2.2.2 as dns servers in cisco routers.
I have cleared the cache but no luck.

I want to block all social media websites, OTTS and torrents (A big list).

rajukarthik

@jrey could you please help me to configure dnsbl to block websites.

jrey

@Gertjan said in Not able to block facebook website:

can be explained.
if 'facebook.com' was resolved ones in the past, the resolver keeps the result

not entirely true at the resolver side. Why.
DNSBL - TDL setup as originally described

so with nothing in place

• dns lookup facebook.com (you should get the IP)
• then add facebook.com to the list
• for it or any DNSBL list to work, you either have to wait for the next cron job cycle, OR as is most recommended Force reload the DNSBL - that restarts the resolver as it restarts during that process.

x@LUBUNTU:~$ date
Thu 23 Nov 2023 07:09:55 AM EST
x@LUBUNTU:~$ dig facebook.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34996
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           101     IN      A       157.240.229.35

;; Query time: 40 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Nov 23 07:10:00 EST 2023
;; MSG SIZE  rcvd: 57

*** here I added facebook.com to list and reloaded DNSBL

x@LUBUNTU:~$ date
Thu 23 Nov 2023 07:11:51 AM EST
x@LUBUNTU:~$ dig facebook.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           60      IN      A       0.0.0.0

;; Query time: 40 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Nov 23 07:11:59 EST 2023
;; MSG SIZE  rcvd: 57

No cache flush performed on the client, just added the entry and reloaded the DNSBL

On pfSense, for good manners : stop and start unbound - the resolver,

no need the cron job if you wait or the force reload if you want results now, does this for you (and is way faster than anyone can navigate to the menu and do it manually)

the appropriate log file reveals:

Saving DNSBL statistics... completed [ 11/23/23 07:11:36 ]
Reloading Unbound Resolver (DNSBL python).
Stopping Unbound Resolver.
Unbound stopped in 2 sec.
Additional mounts (DNSBL python):
  No changes required.
Starting Unbound Resolver... completed [ 11/23/23 07:11:38 ]

@rajukarthik

• you need to plan out a path for your DNS traffic to follow. Don't let us tell you, because only you know what other things you have/need your network to do.
• It does seem that you have multiple devices answering the DNS Queries.
• The DNSBL on the Netgate will do nothing if it is not in the DNS traffic path and/or the resolver is not running.

The DNS Resolver should resolve out of the box, if enabled. By default it would go to the root servers for anything it can't answer. (it doesn't have to and can be used with any other upstream DNS, that's a choice you have to make)

I had start a response on the layout, and notice you had posted this

Actually 192.168.3.3 is my cisco router. I have configured Pfsense firewall after cisco router.
I have configured 8.8.8.8 and 4.2.2.2 as dns servers in cisco routers.
I have cleared the cache but no luck.
I want to block all social media websites, OTTS and torrents (A big list).

so

WAN <-> Cisco <-> pfSense <-> Clients
or
WAN <-> Cisco <-> pfSense
             \<-> Clients
or
Something Else are all your clients are connected to the Cisco?, perhaps then 
WAN <-> pfSense <-> Cisco <-> Clients

Follow the DNS traffic and plan the path (you need to get pfSense in the DNS traffic path and generally just in the traffic path, or it won't block anything)

Do you have a network diagram you can share?
I think before you tackle the DNSBL you have to sort out the traffic flow in your case, or at least let us better understand it.
You have mentioned multiple sub nets so far with devices on
192.168.50.*
192.168.3.*
Where is the Netgate (IP)?

Gertjan

@jrey said in Not able to block facebook website:

No cache flush performed on the client, just added the entry and reloaded the DNSBL

Euh, yeah.
I forgot something else : about the DNS(bl) and cache : ASNs are lists with IP addresses and networks.
=> Has nothing to do with DNS lookups ( !! stupid me !! )
facebook can and will gets resolved just fine. No big deal.

What doesn't work anymore : see my "floating" firewall rules above : all the IP addresses and networks of Facebook will get blocked at the firewall level.
In my example above I had selected "No outbound" which means : nothing from 'LAN' can reach these networks and IPs anymore.

jrey

@rajukarthik

Try this:

On the pfSense box

• Enable DNS resolver (I'm going to assume that all the default settings are in place
• Diagnostics menu -> Command line

dig facebook.com

• the following from your client machine (windows)

nslookup facebook.com

• then the following from your client machine (windows)

nslookup
server (ip of your pfSense box)
facebook.com

• share all three results

pfBlockerNG (assuming 3.2.0_6)

• make sure it is enabled (Firewall -> pfBlockerNG ->General)

Edit - Sorry one of the images / steps didn't appear
this is under Firewall -> pfBlockerNG -> DNSBL

• Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups

• add a new group - call it Socials (or whatever)
  Settings

  • Action Unbound
  • just select Every 2 hours for now.
  • Scroll to the bottom in the section DNSBL Custom_List
    in the box enter facebook.com
  • Save DNSBL Settings (Button at bottom of screen)

• at the top of screen, right next to DNSBL select the Update (tab/page)

  • Select 'Force' option - click "reload"
  • Select 'Reload' option - click "DNSBL"
  • click the Run button (wait until is says "UPDATE PROCESS ENDED" in the view below the run button.)

• repeat the three tests above (1 dig on the pfSense, 2 nslookup on the client)
  post the results

jrey

@Gertjan said in Not able to block facebook website:

all the IP addresses and networks of Facebook will get blocked at the firewall level.

Not entirely true

All the IPs in their ASN will get blocked, however they also use (randomly) IP addresses that are not in their ASN (ie the leased space)
here are a few of them associated with fb

As I said previously neither method is 100% you have to use a combination to get closer to that level. so again it all comes down to the definition of "Block Facebook" and the requirements

facebook.com will block most of the "user browsing traffic" but not all the other "things they embed here there and everywhere"

for that you would also have to include this, and more (as the list doesn't include their content servers) (however, beware, you will notice that some of entries listed have nothing to do with facebook directly, that is because the IP's float within the AWS network and other leased space.