pfblockerNG Question(s)
-
@djtech2k said in pfblockerNG Question(s):
If I open a browser on my laptop and try to go to foo.com, what happens?
A blocked hostname resolves to the configured IP address:
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@djtech2k said in pfblockerNG Question(s):
I thought that would be best for my situation
And that's fine of course.
Just keep in mind that you also thought that you know better then a company called Netgate that made pfSense.
After all, if "forwarding" to "what ever (commercial) DNS server" is more secure as resolving, then it would be the default setting.Guess what, it wasn't set like that.
Netgate even activated DNSSEC, for security reasons.But get me right, there might be conditions that forwarding to a (commercial) DNS server is better.
All the big players (the local government, your ISP, your favorite VPN, etc etc) already always know "where" you go. So asking the road ( .. no, the IP ^^) to these places is pretty much the same thing.
@djtech2k said in pfblockerNG Question(s):
Otherwise, I set the "Enable Forwarding Mode" option because I assume using my ISP DNS servers is the best option
That option exists, IMHO, for ancient reasons.
Another adds another misunderstanding these days I guess.
"In the past", when we had 9600 or 33k6 modem bit rate counted, every byte counted. You paid per bit, remember ?
Most ISPs made available their won local DNS servers so resolving would speed up a bit. Our own ISP interlink connections were also very slow.
These days : most ISPs still offer DNS functionalities as these servers bring in some extra cash ^^
An ISP that forces you to use their DNS : leave them.With the new, multiple Mbytes /sec ISP connection these days, we can do at home with pfSense what everybody already did back in the past on the big systems : we use DNS as it was meant to be used : we resolve.
pfSense, out of the box, resolvesIf you wanted to know the phone number of Paul, why would you ask Joo ?
Why not asking Paul directly ?Ok, you get it, I'm a resolving fan.
I can't, of course, say that forwarding is bad and resolving is good. Both have their advantages, and disadvantages.
Resolving + DNSSEC (if available) is good enough for me.
Also, its the most simple setup : out of the box the system - pfSense - is ok.
And Netgate told already many times that I'm not smarter as they are ^^ So, for me, resolving it will be.Extra info : I also have my own domain name servers for my domain names (for my websites, mail reverse and so on). I wanted to do the DNSSEC (and a lot of other stuff) 'myself', as implementing DNS myself was what I did to learn about DNS.
-
DNSSEC
Speaking of which, disable DNSSEC if you are forwarding. It can cause false positives.
https://forum.netgate.com/topic/190742/should-i-enable-dnssec-in-pfsense-when-using-quad9-and-full-dns-hijacking/2
-
Ok so something behind the scenes must pickup that DNS query and resolve it to the VIP instead of sending it on to a DNS server to get resolved as the real IP. Is that right? What about the URI's in the dnsbl blacklist? For example, there are entries like "/ad/" or something like that. Is there like a script that does a regex or something before the DNS query gets sent to the resolver?
I did a quick test and did a nslookup on a domain name that I know is on the list and getting blocked via he pfblocker reports. The IP return is 0.0.0.0 but I expected it to be the VIP IP of the dnsbl webserver. Is that expected? Here are my settings:
I am unclear on when a request would get sent to the dnsbl webserver or the "blocked webpage".
-
@djtech2k The unbound DNS server loads the DNSBL lists and essentially uses them as overrides.
Not sure about your other questions offhand.
-
This "10.10.10.1" is an option that will get ditched soon.
I use this :
A browser on your LAN wants to visit facebook.com
But you, as the pfSense admin, have blocked "facebook.com" (as a DNSBL)Do you think that a page like this :
will pop up to warn the user in its browser that 'facebook' has been blocked ?
Now way ! Because you, me and nobody can't break TLS. Remember, https is used. The browser want to visit facebook.com but it gets an answer back from some guy called "10.10.10.1". That is interception, and that is bad. The browser will bark.
And not showing any pages - no way, it will throw the complex and scary messages on the screen .... (we all know them)So, the admin that start to understand what TLS (= https) is, doesn't care about what the pfBlockerng web server "10.10.10.1" has to offer.
"10.10.10.1" was nice in the good old http days.
There are no http server anymore, they have been shut down (actually : they are still there doing just one thing : redirecting you to the https counterpart, as http traffic can be redirected.That's why I "Null log".
Btw : Null logging means : return 0.0.0.0 (means : doesn't exist, don't insist - do nothing)
means : return "10.10.10.1" - which is, imho, as I exposed above, pretty useless.
-
Ok so just curious why my nslookup to a known blacklisted domain name would come back with 0.0.0.0 as the IP? I thought with my options as posted above, it would come back to the 10.x address of the webserver?
On a side note about DNS, I posted my config in DNS Resolved and the General DNS server settings. I understand the concepts of all the settings but I am unclear on which ones take precedence. So on the General DNS Server settings, I have the checkbox (Allow DNS server list to be overridden by DNCP..." and the DNS Resolution Behavior is set to Local then remote DNS. I then have the DNS Resolver setting "DNS Query Forwarding" enabled. I understand what all those things mean but I am unclear on how they work together.
I enabled the forwarding because my thought was that if I did not, pfsense would be running its own DNS server, which I felt like it would be unneeded functionality or attack surface, so I thought sending those requests to my ISP would be fine. I do not care where my DNS queries get resolved as long as its as secure as it can be AND I can continue to use the conditional forwarder I mentioned above. I just don't know the net effect of these 3 different DNS settings. I am not opposed to changing them as long as it meets the need in the best way I can.
-
@djtech2k Do you have the null block set, as noted above?
On pfSense only allowed (LAN etc.) clients can access it for DNS, and they need to do so if forwarding also. Unless you allow port 53 on WAN, all traffic arriving on WAN is blocked by default.
You can have LAN clients not use pfSense/Unbound at all, but then DNSBL won't work. (side note: if their browsers use DoH then they will bypass DNSBL)
If DNS forwarding is enabled then Unbound will forward the queries to the configured DNS servers instead of asking the root servers.
If you have allowed WAN DHCP to override the DNS server list then it will use the DNS servers your ISP says to use:
https://docs.netgate.com/pfsense/en/latest/config/general.html#dns-resolution-behavior
(there's a ? icon on each page that links to the doc page)Normally we set to forward because we forward to Quad9. Others have different opinions of what is preferable.
-
No, I have it set to go to the webserver but when I tried the nslookup to a known blacklisted domain, it came back with 0.0.0.0 as the IP, which surprised me based on my config.
As for DNS, the pfsense value seems to be DNS Override enabled, Local >then> Remote in the DNS Behavior settings in the General Setup section, which is exactly how mine is set. So the only deviation I have from the default is the forwarding enabled in the DNS Resolver config. So I guess the real difference is that my DNS queries will be sent to the DNS servers from my ISP DHCP lease and if I uncheck the forwarder box, pfsense will try to resolve it from cache and then look for root hints for resolution. Does that sound accurate?
All of my DNS discussion is on the LAN side. Its all blocked on the WAN by default.
I think my gap in knowledge on this is mainly around the "Unbound" part and how DNSBL works, along with a little but about how the DNS Resolver (and its options) work in pfsense. As long as my override/conditional forwarder will work, it sounds like I can use the forwarder option or remove it. Like I said, I just initially thought it was a component/work that I did not need pfsense to do so i was thinking forwarding would be better. I could be wrong all along anyway.
-
@djtech2k said in pfblockerNG Question(s):
it came back with 0.0.0.0 as the IP, which surprised me based on my config.
Hummm.
DNSBL files - with the Webserver IP 10.100.1.1, or 0.0.0.0 = Null block, depending on your choice, are (re) build when you do a Force reload All.edit : as you said yourself :
