Not able to block facebook website

rajukarthik

@jrey
RT-AX3000-4B90 is my wifi router. I had accessed Pfsense gui via VPN yesterday.
Now i have connected my laptop to the pfsense lan directly and posting the screenshots for your reference.

Also I have disabled DNS resolver in my PFsense firewall.
Screenshots for your reference.
I also request you to kindly let me know how to add website entries in dnsbl to block it. I feel I had made mistake in DNSBL entries too.

Thanks and Regards,
Karthik

Gertjan

@rajukarthik said in Not able to block facebook website:

Also I have disabled DNS resolver in my PFsense firewall.

Then who is doing the DNS for your networks ?
Disabling the resolver also disables pfBlockerng.

Things get even better :

In the top of the image you can see that 192.168.3.3 was answering (port 53 == DNS) over UDP.

But unbound was stopped ?!?

Who is 192.168.3.3 ?

---

This :

can be explained.
if 'facebook.com' was resolved ones in the past, the resolver keeps the result in it local DNS cache for 'some time' (ok, true : "300" or 5 minutes ... depending your unbound settings).
Ones in the cache, pfBlockerng can't help you anymore : unbound (resolver) will reply directly out of his cache, hence the very fast "3 ms" answer time.
If facebook.com wasn't present in the resolver cache, the resolving will resolve, and this resolving will get parsed by 'pfBlockerng' ..... and thus blocked.

General advise : when you handle 'DNS stuff', on pour PC :

ipconfig /flushdns

as your PC is also doing DNS caching.

On pfSense, for good manners : stop and start unbound - the resolver, from the dashboard GUI. This will flush the pfSense resolver DNS cache.

rajukarthik

@Gertjan Actually 192.168.3.3 is my cisco router. I have configured Pfsense firewall after cisco router.
I have configured 8.8.8.8 and 4.2.2.2 as dns servers in cisco routers.
I have cleared the cache but no luck.

I want to block all social media websites, OTTS and torrents (A big list).

rajukarthik

@jrey could you please help me to configure dnsbl to block websites.

jrey

@Gertjan said in Not able to block facebook website:

can be explained.
if 'facebook.com' was resolved ones in the past, the resolver keeps the result

not entirely true at the resolver side. Why.
DNSBL - TDL setup as originally described

so with nothing in place

• dns lookup facebook.com (you should get the IP)
• then add facebook.com to the list
• for it or any DNSBL list to work, you either have to wait for the next cron job cycle, OR as is most recommended Force reload the DNSBL - that restarts the resolver as it restarts during that process.

x@LUBUNTU:~$ date
Thu 23 Nov 2023 07:09:55 AM EST
x@LUBUNTU:~$ dig facebook.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34996
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           101     IN      A       157.240.229.35

;; Query time: 40 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Nov 23 07:10:00 EST 2023
;; MSG SIZE  rcvd: 57

*** here I added facebook.com to list and reloaded DNSBL

x@LUBUNTU:~$ date
Thu 23 Nov 2023 07:11:51 AM EST
x@LUBUNTU:~$ dig facebook.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           60      IN      A       0.0.0.0

;; Query time: 40 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Nov 23 07:11:59 EST 2023
;; MSG SIZE  rcvd: 57

No cache flush performed on the client, just added the entry and reloaded the DNSBL

On pfSense, for good manners : stop and start unbound - the resolver,

no need the cron job if you wait or the force reload if you want results now, does this for you (and is way faster than anyone can navigate to the menu and do it manually)

the appropriate log file reveals:

Saving DNSBL statistics... completed [ 11/23/23 07:11:36 ]
Reloading Unbound Resolver (DNSBL python).
Stopping Unbound Resolver.
Unbound stopped in 2 sec.
Additional mounts (DNSBL python):
  No changes required.
Starting Unbound Resolver... completed [ 11/23/23 07:11:38 ]

@rajukarthik

• you need to plan out a path for your DNS traffic to follow. Don't let us tell you, because only you know what other things you have/need your network to do.
• It does seem that you have multiple devices answering the DNS Queries.
• The DNSBL on the Netgate will do nothing if it is not in the DNS traffic path and/or the resolver is not running.

The DNS Resolver should resolve out of the box, if enabled. By default it would go to the root servers for anything it can't answer. (it doesn't have to and can be used with any other upstream DNS, that's a choice you have to make)

I had start a response on the layout, and notice you had posted this

Actually 192.168.3.3 is my cisco router. I have configured Pfsense firewall after cisco router.
I have configured 8.8.8.8 and 4.2.2.2 as dns servers in cisco routers.
I have cleared the cache but no luck.
I want to block all social media websites, OTTS and torrents (A big list).

so

WAN <-> Cisco <-> pfSense <-> Clients
or
WAN <-> Cisco <-> pfSense
             \<-> Clients
or
Something Else are all your clients are connected to the Cisco?, perhaps then 
WAN <-> pfSense <-> Cisco <-> Clients

Follow the DNS traffic and plan the path (you need to get pfSense in the DNS traffic path and generally just in the traffic path, or it won't block anything)

Do you have a network diagram you can share?
I think before you tackle the DNSBL you have to sort out the traffic flow in your case, or at least let us better understand it.
You have mentioned multiple sub nets so far with devices on
192.168.50.*
192.168.3.*
Where is the Netgate (IP)?

Gertjan

@jrey said in Not able to block facebook website:

No cache flush performed on the client, just added the entry and reloaded the DNSBL

Euh, yeah.
I forgot something else : about the DNS(bl) and cache : ASNs are lists with IP addresses and networks.
=> Has nothing to do with DNS lookups ( !! stupid me !! )
facebook can and will gets resolved just fine. No big deal.

What doesn't work anymore : see my "floating" firewall rules above : all the IP addresses and networks of Facebook will get blocked at the firewall level.
In my example above I had selected "No outbound" which means : nothing from 'LAN' can reach these networks and IPs anymore.

jrey

@rajukarthik

Try this:

On the pfSense box

• Enable DNS resolver (I'm going to assume that all the default settings are in place
• Diagnostics menu -> Command line

dig facebook.com

• the following from your client machine (windows)

nslookup facebook.com

• then the following from your client machine (windows)

nslookup
server (ip of your pfSense box)
facebook.com

• share all three results

pfBlockerNG (assuming 3.2.0_6)

• make sure it is enabled (Firewall -> pfBlockerNG ->General)

Edit - Sorry one of the images / steps didn't appear
this is under Firewall -> pfBlockerNG -> DNSBL

• Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups

• add a new group - call it Socials (or whatever)
  Settings

  • Action Unbound
  • just select Every 2 hours for now.
  • Scroll to the bottom in the section DNSBL Custom_List
    in the box enter facebook.com
  • Save DNSBL Settings (Button at bottom of screen)

• at the top of screen, right next to DNSBL select the Update (tab/page)

  • Select 'Force' option - click "reload"
  • Select 'Reload' option - click "DNSBL"
  • click the Run button (wait until is says "UPDATE PROCESS ENDED" in the view below the run button.)

• repeat the three tests above (1 dig on the pfSense, 2 nslookup on the client)
  post the results

jrey

@Gertjan said in Not able to block facebook website:

all the IP addresses and networks of Facebook will get blocked at the firewall level.

Not entirely true

All the IPs in their ASN will get blocked, however they also use (randomly) IP addresses that are not in their ASN (ie the leased space)
here are a few of them associated with fb

As I said previously neither method is 100% you have to use a combination to get closer to that level. so again it all comes down to the definition of "Block Facebook" and the requirements

facebook.com will block most of the "user browsing traffic" but not all the other "things they embed here there and everywhere"

for that you would also have to include this, and more (as the list doesn't include their content servers) (however, beware, you will notice that some of entries listed have nothing to do with facebook directly, that is because the IP's float within the AWS network and other leased space.

jrey

@Gertjan

Just as a side note, we have to keep a couple of statements from the OP in mind when proposing solutions

stated:

Actually im new to PFSense so could you please help me to find how to check if my clients are using Netgate as DNS

has also said:

could you please help me to configure dnsbl to block websites.

and has also changed the requirements from "block facebook.com". I knew this would be happening based on the first statement about being new -- but as stated now the requirement is:

I want to block all social media websites, OTTS and torrents (A big list).

if you want to go ahead and start looking up the ASN for "all social media websites" go for it. It ultimately would add to a more robust blocking package.

OR we could answer the questions sort out the DNS, get DNSBL running properly and then finally throw a list of socials into the TLD block list and hit 95% of the requirement to "block all social media websites"
Does it block it "ALL social media" - not even close!

facebook.com
tiktok.com
twitter.com
instagram.com
whatsapp.com
tumblr.com
wechat.com
weixin.qq.com
telegram.org
snapchat.com
douyin.com
quora.com
threads.net
tinder.com
discord.com
clubhouse.com
bereal.com

rajukarthik

@jrey @Gertjan

Thanks for your help. I will try these steps and update.

Regards,
Karthik

Gertjan

@jrey said in Not able to block facebook website:

@Gertjan said in Not able to block facebook website:

all the IP addresses and networks of Facebook will get blocked at the firewall level.

Not entirely true

All the IPs in their ASN will get blocked, however they also use (randomly) IP addresses that are not in their ASN (ie the leased space)
here are a few of them associated with fb

Correct. You're right.
I won't try not to be funny here, but the best way would be : contact each large social media and ask them for all the IPv4 (and IPv6) they use. Most will be 'in' their ASN they own. But they can use more then that. If I was working for them, I would do exactly that : using 'random' Iv4 addresses so my clients can use my social media at any time. No one would be able to block the access.

That's why "I want to block the biog ones' isn't really an issue. As it can not be done for 100 %.
Blocking the big social networks can only happen if you have all ( ! ) the IPs they use. This list with Ips probably changes all the time.
And they will never give you this list.

Gertjan

@jrey said in Not able to block facebook website:

@Gertjan said in Not able to block facebook website:

all the IP addresses and networks of Facebook will get blocked at the firewall level.

Not entirely true

All the IPs in their ASN will get blocked, however they also use (randomly) IP addresses that are not in their ASN (ie the leased space)
here are a few of them associated with fb

Correct. You're right.
I won't try not to be funny here, but the best way would be : contact each large social media corporation and ask them for all their IPv4 (and IPv6) they use. Most will be 'in' their ASN they own. But they can (will !) use more then that. If I was working for them, I would do exactly that : using 'random' IPv4 (& IPv6) addresses so my clients can use my social media at any time. No one (read : pfSense admin) would be able to block the access. He'll try, and abandons soon as he'll understand what he tries to do.

That's why "I want to block the bog ones' isn't really an issue. As it can not be done for 100 %.
Blocking the big social networks can only happen if you have all ( ! ) the IPs they use. This list with IPs probably changes all the time.
They will never give you this list, neither making it available to the public.