pfsense 2.7.0 and pfblocker-dev 3.2.0.7 poor client browsing experience if DNSBL enabled
-
Good morning,
I installed pfblocker-dev 3.2.0.7 on an pfSense 2.7.0 install.
Everything appeared to be working - GeoIP and DNSBL logging/reporting as expected.
The PC browsing experience is not so good.
Clients point to internal DNS server that has pfsense as a forwarder, pfsense DNS upstream set to Quad9 and nothing else.
I disabled DNSBL and the web browsing experience was once again lightning quick
I tested DNSBL with just https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts enabled . Browsing experience very poor
I note that web browser does not present the Cookie acceptance box and menus on websites may take 10s+ to display submenus.
I use this list elsewhere and it just works.
On pfSense CPU / logs / stats all look fine but I might not be digging deep enough.
I do note that under DNS Resolver, if I enable Python Module, the Python Module script reports "No Python module scripts found"
Thanks in advance for any advice.
-
2.7.2 is available
No Python module scripts found
have you selected the script, Under DNS Resolver
Under pfblockerng -> DNSBL
-
@jrey Thanks, I cannot select the script, in the drop down box it reports "No Python module scripts found"
I have tested without python and the web browsing experience is no different.
-
interesting the script isn't available at that point.
Have you tried refreshing (reinstall) the pfblockerng install?
any other errors in logs?
ls -l /var/unboundwhat do you see?
-
@korgua said in pfsense 2.7.0 and pfblocker-dev 3.2.0.7 poor client browsing experience if DNSBL enabled:
I installed pfblocker-dev 3.2.0.7 on an pfSense 2.7.0 install.
And that's already a 'problem'.
Note somewhere :
If you install pfSense packages 'today' then you need to make sure that your pfSense is also from today' : that is : the latest version.
Today, that will be 2.7.2, and certainly not 2.7.0 (more the a year old).Btw : if you have DNS issues, it is very possible that pfSense itself can't show you that an upgrade is available.
There is also good news.
I'm using :
(this means that you and I use exactly the same 'code').
and the 'Steven' list.
I have no issues what so ever ****.
I'm using the pfBlocker 'Python' mode of course, as it is faster, and uses less memory.@korgua said in pfsense 2.7.0 and pfblocker-dev 3.2.0.7 poor client browsing experience if DNSBL enabled:
pfsense DNS upstream set to Quad9 and nothing else.
You are aware that you don't need to use any upstream data harvester ... sorry 'Quad9' ?
(true : it also does some DNSBL for your ...)
pfSense uses unbound, a DNS resolver.
Quad9, 8.8.8.8, 1.1.1.1 are all resolvers.
Wgy would you need a resolver if you already have one ? "Resolving twice ?"*** that is : if you tend to visit all the sites that are listed in the "Steven" list, then yeah .... you're right : poor browsing experience will be guaranteed
Be ware : when you visit sites that, in their turn, visit the listed DNSBL sites for you, then the same thing will be true : pages don't load, slow etc. -
@Gertjan said in pfsense 2.7.0 and pfblocker-dev 3.2.0.7 poor client browsing experience if DNSBL enabled:
And that's already a 'problem'.
Not really -- 3.2.0_6 and 3.2.0_7 are only one line of code different.
However, versions of python and other underlying items would/could be different.
First thing I said was:
@jrey said in pfsense 2.7.0 and pfblocker-dev 3.2.0.7 poor client browsing experience if DNSBL enabled:
2.7.2 is available
but at the same time if the script isn't even there - that's an entirely different issue -
@Gertjan said in pfsense 2.7.0 and pfblocker-dev 3.2.0.7 poor client browsing experience if DNSBL enabled:
Wgy would you need a resolver if you already have one ? "Resolving twice ?"
Not really -the local DNS resolver either goes to the root servers (default) or are forwarded to server selected -- by default the local Resolver won't know anything about anything and the answer has to come from somewhere.
DNS Resolver -> Root Servers (Default)
or
DNS Resolver -> some other named upstream.Both are valid options depending on use case.
neither has anything to do with pfb_python script not being found.
-
I will try a refresh / reinstall.
I see that the script is not there:
total 150
-rw-r--r-- 1 root unbound 678 Jan 3 06:42 access_lists.conf
drwxr-xr-x 2 unbound unbound 2 Jun 28 2023 conf.d
dr-xr-xr-x 6 root wheel 512 Jan 3 06:39 dev
-rw-r--r-- 1 root unbound 0 Jan 3 06:42 dhcpleases_entries.conf
-rw-r--r-- 1 root unbound 3392 Jan 1 15:53 dnsbl_cert.pem
-rw-r--r-- 1 root unbound 0 Jan 3 06:42 domainoverrides.conf
-rw-r--r-- 1 root unbound 552 Jan 3 06:42 host_entries.conf
drwxr-xr-x 4 root wheel 68 Jun 28 2023 lib
-rw-r--r-- 1 root unbound 1637 Jan 5 06:51 pfb_dnsbl_lighty.conf
-rw-r--r-- 1 root unbound 6 Jan 4 08:40 pfb_py_count
-rw-r--r-- 1 unbound unbound 8192 Jan 5 06:52 pfb_py_dnsbl.sqlite
-rw-r--r-- 1 unbound unbound 12288 Jan 6 07:28 pfb_py_resolver.sqlite
-rw-r--r-- 1 root unbound 385 Jan 2 00:00 pfb_unbound.ini
-rw-r--r-- 1 root unbound 300 Sep 8 06:30 remotecontrol.conf
-rw-r--r-- 1 unbound unbound 758 Jan 6 03:37 root.key
-rw------- 1 unbound unbound 2459 Sep 8 06:30 unbound_control.key
-rw-r----- 1 unbound unbound 1411 Sep 8 06:30 unbound_control.pem
-rw------- 1 unbound unbound 2459 Sep 8 06:30 unbound_server.key
-rw-r----- 1 unbound unbound 1549 Sep 8 06:30 unbound_server.pem
-rw-r--r-- 1 unbound unbound 2062 Jan 5 06:53 unbound.conf
drwxr-xr-x 3 root unbound 3 Jan 1 16:07 usr
drwxr-xr-x 3 root unbound 3 Jan 1 16:07 var -
So that listing has both missing and extra entries. Suggests there is a bigger problem.
This would be a great time to take the first bit of advise
2.7.2 is available
backup a copy of your current configuration.
download a copy of the 2.7.2 image as a standby.I would do a fresh install, rather than trying to upgrade, but either option should only take a few minutes.
Upgrade
try upgrading the system first
Watch closely for errors and/or look in the file /conf/upgrade_log.latest.txtif the upgrade is clean, you can list the directory again and post the listing again.
you might have to refresh pfblocker package again after the system install although it should be picked up during the update (the log above will tell you) -
the DNSBL will most likely come up not running (as showing on the dashboard), force reload from the Firewall -> pfBlockerNG -> Update menu should resolve that.
Fresh Install
I think in this case a clean (as new) install using the image and then restore the configuration would be best but entirely your choice. Trying the upgrade first certainly won't hurt, just potentially an extra step if it doesn't work. -
Just as a proof of concept that the 3.2.0_7 package would run on 2.7.0
I spun fresh 2.7.0 instance
installed 3.2.0_7 pfBlocker
DNS Resolver
DNSBL
The script is there,
total 6146 -rw-r--r-- 1 root unbound 176 Jan 6 19:46 access_lists.conf drwxr-xr-x 2 unbound unbound 2 Jun 28 2023 conf.d dr-xr-xr-x 7 root wheel 512 Jan 6 19:49 dev -rw-r--r-- 1 root unbound 0 Jan 6 19:46 dhcpleases_entries.conf -rw-r--r-- 1 root unbound 3408 Jan 6 19:46 dnsbl_cert.pem -rw-r--r-- 1 root unbound 0 Jan 6 19:46 domainoverrides.conf -rw-r--r-- 1 root unbound 388 Jan 6 19:46 host_entries.conf drwxr-xr-x 4 root wheel 68 Jun 28 2023 lib -rw-r--r-- 1 root unbound 1271 Jan 6 19:49 pfb_dnsbl_lighty.conf -rw-r--r-- 1 root unbound 8429809 Jan 6 19:49 pfb_py_data.txt -rw-r--r-- 1 unbound unbound 8192 Jan 6 19:49 pfb_py_dnsbl.sqlite -rw-r--r-- 1 root unbound 1687428 Jan 6 19:46 pfb_py_hsts.txt -rw-r--r-- 1 unbound unbound 12288 Jan 6 19:58 pfb_py_resolver.sqlite -rw-r--r-- 1 root unbound 1043 Jan 6 19:49 pfb_py_whitelist.txt -r-xr-xr-x 1 root unbound 5534 Jan 6 19:46 pfb_unbound_include.inc -rw-r--r-- 1 root unbound 358 Jan 6 19:49 pfb_unbound.ini -r-xr-xr-x 1 root unbound 68158 Jan 6 19:46 pfb_unbound.py -rw-r--r-- 1 root unbound 300 Jan 6 07:29 remotecontrol.conf -rw-r--r-- 1 unbound unbound 83 Jan 6 19:46 root.key -rw------- 1 unbound unbound 2455 Jan 6 07:29 unbound_control.key -rw-r----- 1 unbound unbound 1411 Jan 6 07:29 unbound_control.pem -rw------- 1 unbound unbound 2455 Jan 6 07:29 unbound_server.key -rw-r----- 1 unbound unbound 1549 Jan 6 07:29 unbound_server.pem -rw-r--r-- 1 unbound unbound 1996 Jan 6 19:49 unbound.conf drwxr-xr-x 3 root unbound 3 Jan 6 19:49 usr drwxr-xr-x 3 root unbound 3 Jan 6 19:49 varConfirmed the DNSBL is blocking
And the system is running with no issues -- but the recommendation that 2.7.2 is available still stands.
