pfblockerNG Question(s)

Gertjan

@djtech2k said in pfblockerNG Question(s):

If I open a browser on my laptop and try to go to foo.com, what happens?

To make a pretty important story short, you actually want to know what DNS (really) is.

First, check with the settings of your browser (all browser you use) what DNS it is using.

For example, whne visiting about:preferences#privacy on a Firefox browsers, on the bottiom of that page, you might be in for a big surprise.
If it isn't :

then the browser will completely bypass pfSense (== the resolver (unbound) and thus pfBlockerng).

When "Off" is selected, the browser will use the DNS that your device obtained by a DHCP lease (or whatever you've set it if you use a static IP setup)

Next test, still on your device : ask your device what (who) the system DNS it :

C:\Users\Gauche>nslookup www.google.com
Serveur :   pfSense.bhf.tld
Address:  2a01:cb19:907:xxyy:92ec:77ff:fe29:392c

Réponse ne faisant pas autorité :
Nom :    www.google.com
Addresses:  2a00:1450:4007:80c::2004
          172.217.20.164

Every line is important here.

Serveur : pfSense.bhf.tld = is the host name of my pfSense.
Address: 2a01:cb19:907:xxyy:92ec:77ff:fe29:392c : sorry for this, normally, it should be 192.168.1.1, the IPv4 address of my pfSense. But IPv4 start t be phased out so ... here it is, my pfSense LAN IPv6 ...

And then the two answers :
An A (IPv4) and an AAAA (IPv6) record : these are the answers.

Check also this :

ipconfig /all
......
   Serveurs DNS. . .  . . . . . . . . . . : 2a01:cb19:907:xxyy:92ec:77ff:fe29:392c
                                       192.168.1.1
.....

which means that the DJCP server (pfSense) gave these two DNS server IP's to my device.
Keep in mind : my 192.168.1.1 is the same interface as 2a01:cb19:907:xxyy:92ec:77ff:fe29:392c.

So, now I k,ow that my device will use pfSense as it's DNS source.

On pfSense : if you use the default Resolver settings, as they ware present when you installed pfSense, your good.

There are several ways to check if DNS requests from your LAN device are handled by the resolver :
Goto Services > DNS Resolver > Advanced Settings page and select :

WARNING : do not forget to set this back to "Level 1" when you're done - The DNS (Resolvers) log will get huge very fast !

and now visit : Status > System Logs > System > DNS Resolver and you'll see all DNS requests handled by the resolver listed.

Or visit : Firewall > pfBlockerNG > Alerts and go to the Unified page.
You'll see all DNS requests that are handled by the Resolver (and thus handled by pfBlockerng).

Also, be ware, none of the people that created DNS (they are still there !) can be found on toctic.
You can see them here : https://www.youtube.com/results?search_query=DNS

This one How DNS Works - Computerphile, is, IMHO, gold. But there are many more.
Look at a couple more, let it sink in, and look some more over time.

djtech2k

Thanks for the detail.

My DNS Resolver is set to "Enable Forwarding Mode". I thought that would be best for my situation, but again I am relatively new to pfsense. I have a DNS server on my network that only has records for a specific domain, so I have a conditional forwarder (Domain Override) setup in my DNS Resolver for that domain. Otherwise, I set the "Enable Forwarding Mode" option because I assume using my ISP DNS servers is the best option. So I assumed that my internal domain will get DNS forwarded to my DNS server and all other DNS queries will get sent to the DNS servers provided by my ISP DHCP.

Am I misunderstanding this or is that config not the best way to go? Specifically, should I not have the Forwarding mode enabled? Does this config cause pfblocker to not work as expected or cause other issues?

Here are my DNS settings in pfsense:

As for my main question here, it was really about how the DNS requests get sent to the DNSBL webserver. In my example, if any device requests foo.com and foo.com is on a blacklist, how does pfblocker send that request to the pfblocker dnsbl webserver instead of the normal DNS resolver path? Since its not a FW rule, I cannot see it there. Unless I am misunderstanding, something must happen behind the scenes that sends the DNS request for foo.com to the dnsbl webserver.

SteveITS

@djtech2k said in pfblockerNG Question(s):

If I open a browser on my laptop and try to go to foo.com, what happens?

A blocked hostname resolves to the configured IP address:

Gertjan

@djtech2k said in pfblockerNG Question(s):

I thought that would be best for my situation

And that's fine of course.
Just keep in mind that you also thought that you know better then a company called Netgate that made pfSense.
After all, if "forwarding" to "what ever (commercial) DNS server" is more secure as resolving, then it would be the default setting.

Guess what, it wasn't set like that.
Netgate even activated DNSSEC, for security reasons.

But get me right, there might be conditions that forwarding to a (commercial) DNS server is better.

All the big players (the local government, your ISP, your favorite VPN, etc etc) already always know "where" you go. So asking the road ( .. no, the IP ^^) to these places is pretty much the same thing.

@djtech2k said in pfblockerNG Question(s):

Otherwise, I set the "Enable Forwarding Mode" option because I assume using my ISP DNS servers is the best option

That option exists, IMHO, for ancient reasons.

Another adds another misunderstanding these days I guess.
"In the past", when we had 9600 or 33k6 modem bit rate counted, every byte counted. You paid per bit, remember ?
Most ISPs made available their won local DNS servers so resolving would speed up a bit. Our own ISP interlink connections were also very slow.
These days : most ISPs still offer DNS functionalities as these servers bring in some extra cash ^^
An ISP that forces you to use their DNS : leave them.

With the new, multiple Mbytes /sec ISP connection these days, we can do at home with pfSense what everybody already did back in the past on the big systems : we use DNS as it was meant to be used : we resolve.
pfSense, out of the box, resolves

If you wanted to know the phone number of Paul, why would you ask Joo ?
Why not asking Paul directly ?

Ok, you get it, I'm a resolving fan.
I can't, of course, say that forwarding is bad and resolving is good. Both have their advantages, and disadvantages.
Resolving + DNSSEC (if available) is good enough for me.
Also, its the most simple setup : out of the box the system - pfSense - is ok.
And Netgate told already many times that I'm not smarter as they are ^^ So, for me, resolving it will be.

Extra info : I also have my own domain name servers for my domain names (for my websites, mail reverse and so on). I wanted to do the DNSSEC (and a lot of other stuff) 'myself', as implementing DNS myself was what I did to learn about DNS.

SteveITS

DNSSEC

Speaking of which, disable DNSSEC if you are forwarding. It can cause false positives.

https://forum.netgate.com/topic/190742/should-i-enable-dnssec-in-pfsense-when-using-quad9-and-full-dns-hijacking/2

djtech2k

Ok so something behind the scenes must pickup that DNS query and resolve it to the VIP instead of sending it on to a DNS server to get resolved as the real IP. Is that right? What about the URI's in the dnsbl blacklist? For example, there are entries like "/ad/" or something like that. Is there like a script that does a regex or something before the DNS query gets sent to the resolver?

I did a quick test and did a nslookup on a domain name that I know is on the list and getting blocked via he pfblocker reports. The IP return is 0.0.0.0 but I expected it to be the VIP IP of the dnsbl webserver. Is that expected? Here are my settings:

I am unclear on when a request would get sent to the dnsbl webserver or the "blocked webpage".

SteveITS

@djtech2k The unbound DNS server loads the DNSBL lists and essentially uses them as overrides.

Not sure about your other questions offhand.

Gertjan

@SteveITS

This "10.10.10.1" is an option that will get ditched soon.

I use this :

A browser on your LAN wants to visit facebook.com
But you, as the pfSense admin, have blocked "facebook.com" (as a DNSBL)

Do you think that a page like this :

will pop up to warn the user in its browser that 'facebook' has been blocked ?
Now way ! Because you, me and nobody can't break TLS. Remember, https is used. The browser want to visit facebook.com but it gets an answer back from some guy called "10.10.10.1". That is interception, and that is bad. The browser will bark.
And not showing any pages - no way, it will throw the complex and scary messages on the screen .... (we all know them)

So, the admin that start to understand what TLS (= https) is, doesn't care about what the pfBlockerng web server "10.10.10.1" has to offer.
"10.10.10.1" was nice in the good old http days.
There are no http server anymore, they have been shut down (actually : they are still there doing just one thing : redirecting you to the https counterpart, as http traffic can be redirected.

That's why I "Null log".

Btw : Null logging means : return 0.0.0.0 (means : doesn't exist, don't insist - do nothing)

means : return "10.10.10.1" - which is, imho, as I exposed above, pretty useless.

djtech2k

Ok so just curious why my nslookup to a known blacklisted domain name would come back with 0.0.0.0 as the IP? I thought with my options as posted above, it would come back to the 10.x address of the webserver?

On a side note about DNS, I posted my config in DNS Resolved and the General DNS server settings. I understand the concepts of all the settings but I am unclear on which ones take precedence. So on the General DNS Server settings, I have the checkbox (Allow DNS server list to be overridden by DNCP..." and the DNS Resolution Behavior is set to Local then remote DNS. I then have the DNS Resolver setting "DNS Query Forwarding" enabled. I understand what all those things mean but I am unclear on how they work together.

I enabled the forwarding because my thought was that if I did not, pfsense would be running its own DNS server, which I felt like it would be unneeded functionality or attack surface, so I thought sending those requests to my ISP would be fine. I do not care where my DNS queries get resolved as long as its as secure as it can be AND I can continue to use the conditional forwarder I mentioned above. I just don't know the net effect of these 3 different DNS settings. I am not opposed to changing them as long as it meets the need in the best way I can.

SteveITS

@djtech2k Do you have the null block set, as noted above?

On pfSense only allowed (LAN etc.) clients can access it for DNS, and they need to do so if forwarding also. Unless you allow port 53 on WAN, all traffic arriving on WAN is blocked by default.

You can have LAN clients not use pfSense/Unbound at all, but then DNSBL won't work. (side note: if their browsers use DoH then they will bypass DNSBL)

If DNS forwarding is enabled then Unbound will forward the queries to the configured DNS servers instead of asking the root servers.

If you have allowed WAN DHCP to override the DNS server list then it will use the DNS servers your ISP says to use:
https://docs.netgate.com/pfsense/en/latest/config/general.html#dns-resolution-behavior
(there's a ? icon on each page that links to the doc page)

Normally we set to forward because we forward to Quad9. Others have different opinions of what is preferable.

djtech2k

No, I have it set to go to the webserver but when I tried the nslookup to a known blacklisted domain, it came back with 0.0.0.0 as the IP, which surprised me based on my config.

As for DNS, the pfsense value seems to be DNS Override enabled, Local >then> Remote in the DNS Behavior settings in the General Setup section, which is exactly how mine is set. So the only deviation I have from the default is the forwarding enabled in the DNS Resolver config. So I guess the real difference is that my DNS queries will be sent to the DNS servers from my ISP DHCP lease and if I uncheck the forwarder box, pfsense will try to resolve it from cache and then look for root hints for resolution. Does that sound accurate?

All of my DNS discussion is on the LAN side. Its all blocked on the WAN by default.

I think my gap in knowledge on this is mainly around the "Unbound" part and how DNSBL works, along with a little but about how the DNS Resolver (and its options) work in pfsense. As long as my override/conditional forwarder will work, it sounds like I can use the forwarder option or remove it. Like I said, I just initially thought it was a component/work that I did not need pfsense to do so i was thinking forwarding would be better. I could be wrong all along anyway.

Gertjan

@djtech2k said in pfblockerNG Question(s):

it came back with 0.0.0.0 as the IP, which surprised me based on my config.

Hummm.
DNSBL files - with the Webserver IP 10.100.1.1, or 0.0.0.0 = Null block, depending on your choice, are (re) build when you do a Force reload All.

edit : as you said yourself :