LibreWolf: Block Applications from Connecting to a IP (*.googleusercontent.com)

nasheayahu

Evening, I can block connections via browser to *.googleusercontent.com, but firefox, librewolk, and alike connects internally by code. I can see these connection via ntopng:

and the packets [DNSBL_NOConnectionList are not showing there being blocked:

only when I try to connect via brower:

So, how can I block any IP trying to connect via browser, application, etc., using pfBlockerNG?

I tried this:

and this:

and my /var/db/pfblockerng/google.txt is:

patient0

@nasheayahu said in LibreWolf: Block Applications from Connecting to a IP (*.googleusercontent.com):

but firefox, librewolk, and alike connects internally by code

First make sure that Firefox and similar don't use DNS-over-HTTPS

That way the use the regular way (udp/53) to resolve hosts.

nasheayahu

@patient0 said in LibreWolf: Block Applications from Connecting to a IP (*.googleusercontent.com):

First make sure that Firefox and similar don't use DNS-over-HTTPS

Okay, I have those set, but not getting any hits on the packet blocks. This is how my DNS Server / General Settings look:

Do I need to change anything?

patient0

@nasheayahu so Firefox is 'Off' for DNS-over-HTTPS, yes? Then it should work indeed.

Have your reloaded/restart pfBlocker-NG after you edited the custom list?

nasheayahu

@patient0 said in LibreWolf: Block Applications from Connecting to a IP (*.googleusercontent.com):

Have your reloaded/restart pfBlocker-NG after you edited the custom list?

Yes.

Even tried this pfBlockerNG Customize Blocklist with:

IPv4 Cust_List:
googleusercontent.com
bc.googleusercontent.com
209.100.149.34.bc.googleusercontent.com
191.144.160.34.bc.googleusercontent.com
93.243.107.34.bc.googleusercontent.com
202.152.107.34.bc.googleusercontent.com

and
TLD Blacklist:
googleusercontent.com
bc.googleusercontent.com
209.100.149.34.bc.googleusercontent.com
191.144.160.34.bc.googleusercontent.com
93.243.107.34.bc.googleusercontent.com
202.152.107.34.bc.googleusercontent.com

and Librewolf and Firefox is still connecting with no block hits. Looking at ntopng in little details I get this:
Host:

ARIN Look-up has:

Could this be the reason its not being blocked? It appears too, because pfBlocker is coming up with:

on the IPv4. The DNS Lookup is returning:

What goes on? How do I properly just block all googles:

Net Range	34.64.0.0 - 34.127.255.255

It appears to be some masquerading here to defeat the pfBlocker? Maybe pfBlocker should make changes to use:

http://itools.com/tool/arin-whois-domain-search

as does ntopng.

Uglybrian

Hi, your OPEN DNS servers are using DOH. Thats why its not working, consider using resolver mode. Aso, what is 10.10.30.1?

nasheayahu

@Uglybrian said in LibreWolf: Block Applications from Connecting to a IP (*.googleusercontent.com):

what is 10.10.30.1?

That is or what I wanted to do, is use pfSense as my central DNS lookup server. So, what is the best way to properly set this?

Uglybrian

Below are my resolver settings. Its stock settings with only 2 changes. In system General set up. I changed DNS resolution behavior to ignore remote DNS servers from fall back.

In resolver I use python mode for pf Blocker. All other settings are stock.

I am still using ISC as my backend. If you decide to make these changes, afterwords reset your state table.

nasheayahu

@Uglybrian said in LibreWolf: Block Applications from Connecting to a IP (*.googleusercontent.com):

I am still using ISC as my backend

What is ISC?

UPDATE: I did a reset and just made adjustments to your settings. I also found my answer for ISC switching to the Kea DHCP and hoping this will give me the same results as your setup:

Anything else you can suggest to make sure I get the same results as you making sure pfBlocker handles all (browsers, apps, etc.) port 53 requests?

Uglybrian

A couple more things you can do is add one of the DoH list two PF blocker. You can find one in the feeds, D0H has feeds listed in each category of PF blocker, ipv4/6 and DNSBL. I would start with just one of the DNSBL feeds.
I would also add a firewall rule in each of your interfaces blocking external DNS resolution. You can find how to do that here.: https://docs.netgate.com/pfsense/en/latest/recipes/index.html
Go down to the DNS heading and utilize “ blocking external client DNS queries’”or “redirecting client DNS queries”
I myself just used a blocking method.
Be aware that KEA is not fully implemented into PFS yet, you may get different results than I get. But, from what I’ve read on the forms it’s working very well for a lot of users, but there are some caveat.

nasheayahu

@Uglybrian said in LibreWolf: Block Applications from Connecting to a IP (*.googleusercontent.com):

I myself just used a blocking method.

Yes, I've done this before myself in another system but keep putting it off for my current, I used pfSense pfBlockerNG configuration guide. So I decided today to get this back working. Its much easeir using granular control then generic. My system diagram is like:

I will be using the above quide for the Lab-pfSense. I was trying to get blocking working just using pfBlocker alone, but unsuccessful. This guide and pfSense baseline guide with VPN, Guest and VLAN support for the Bare-bone pfSense.

What do you think, any inputs and additions?