Bypassing DNSBL for specific IPs

Ns8h · Apr 6, 2018, 9:41 PM

Not sure if this has been posted before but just figured out views are possible in Unbound 1.6 and can be used for bypassing DNSBL zones for specific IPs/ranges.

To do this you need to add some stuff to the custom unbound options:


server:
    access-control-view: 192.168.0.2/32 bypass
    access-control-view: 192.168.0.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf

Host 192.168.0.2 is able to bypass all pfBlockerNG inserted DNSBL zones but is able to resolve other local zones e.g. DHCP added zones. Everything else on the 192.168.0.0/24 subnet gets blocked as normal through DNSBL.

Would be neat for pfBlockerNG to be able to create multiple conf files so that different views could utilize different sets of block lists.

P.s. not sure if the multiple Zones are actually necessary - Unbound experts let me know if this can be improved ;) Also, documentation for "view-first" seems quite confusing. How I understand it is that if left in the default state "no" none of the "global" local zones are respected and only zones configured in the view are used.

mifronte · Apr 7, 2018, 3:43 PM

Thanks. If this works, I can turn DNSBL back on and exclude the one host. Kudos to you.

Update:
I seem to can't get it to work. When I added the custom commands to DNS Resolver (modified for my networks) DNSBL does not block ads.

I will have to read up on the unbound custom views.

sparkman123 · May 8, 2018, 7:45 AM

The OP's suggested config works for me. I melded it with Cloudflare's recent DNS-over-TLS commands as well to have a more robust configuration.

In case anyone's interested, here are my commands:


server:
    access-control-view: <excluded dnsbl="" subnet="">bypass
    access-control-view: <included dnsbl="" subnet="">dnsbl
    ssl-upstream: yes
    do-tcp: yes
    minimal-responses: yes
    prefetch: yes
    qname-minimisation: yes 
    rrset-roundrobin: yes
forward-zone:
    name: "."
    # Below 4 addresses are Cloudflare DNS
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf</included></excluded>

mifronte · May 12, 2018, 7:42 PM

This method is just not working for me :( I am trying to block all except host 10.168.2.157, but as soon as I add the configuration to the DNS Resolver custom options, DNSBL stops working although it is still running without errors. I get no more DNSBL alerts and ads shows up on all my hosts.

Here is my DNS Resolver (unbound) custom options:


server:
    access-control-view: 10.168.2.157/32 bypass
    access-control-view: 10.168.0.0/16 dnsbl
    do-tcp: yes
    minimal-responses: yes
    prefetch: yes
    qname-minimisation: yes 
    rrset-roundrobin: yes
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf

horse2370 · Jul 15, 2018, 11:26 PM

Revisiting this thread as I needed to exclude my Roku devices on my network as they need to reach ad sites for the news feeds to work. (sucks) Getting it to work has raised some questions that maybe others can chime in on and maybe my configuration / findings may help others.

I am using Cloudflares DNS over TLS hence the forward-zone configuration. In addition I run a Plex server at home and need to define the private-domain to allow internal resolution to a private IP address.

I have three Roku devices that use the "bypass" view
Everything else on my three network segments uses DNSBL to block ads.
I have native IPv6 and hence need to add access control as some hosts use IPv6 for DNS transport.
There are a number of host overrides configured to resolve private IP addresses and hidden hosts from the internal Intranet and not use the public IP addresses resolved by my external NS.
Example of my custom options: -

server:
private-domain: "plex.direct"
access-control-view: 192.168.1.51/32 bypass
access-control-view: 192.168.1.61/32 bypass
access-control-view: 192.168.1.83/32 bypass
access-control-view: 2601:abcd:abcd:abc0::/64 dnsbl
access-control-view: 2601:abcd:abcd:abc1::/64 dnsbl
access-control-view: 2601:abcd:abcd:abc2::/64 dnsbl
access-control-view: 192.168.1.0/24 dnsbl
access-control-view: 192.168.2.0/24 dnsbl
access-control-view: 192.168.3.0/24 dnsbl
rrset-roundrobin: yes
forward-zone:
name: "."
forward-ssl-upstream: yes
# Cloudflare DNS
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
view:
name: "bypass"
view-first: yes
#include: /var/unbound/host_entries.conf
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/host_entries.conf
include: /var/unbound/pfb_dnsbl.*conf

What I have found is if I use a 192.168.0.0/22 mask (CIDR) for the IPv4 subnets it does not work, I instead had to define each subnet with /24. Maybe a /16 would have worked?

Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work.

The dnsbl view needed to have include: /var/unbound/host_entries.conf otherwise the host overrides did not resolve. For some reason however that was not required for the bypass view, which seems to operate quite happily without the include: hence it is commented out. Not what I expected.

I also, had a number of issues, that I did not continue confirming exactly the behavior, when trying to format for readability the custom options by indenting some lines using spaces. This caused it to fail. so no leading spaces on any line. :-)

unbound "view" is not very well documented, but does provide some potential for client specific workarounds that I've needed every now and then. Debug seems limited in the log files regarding matching of access-control-view and which view is being used. Maybe I had too much verbosity enabled and message were deep and I missed them?

With multiple hosts for testing and having dig/nslookup forced to use IPv4 or IPv6 I was able to finally reproduce what I believe is a working config. Albeit with some configuration options that I don't fully understand why they work how they do. Will see how it goes . . . .

If anyone can comment on the subnet masks and the include:

ryno5514 · Dec 30, 2018, 7:24 AM

One topic I keep not seeing is what if you want to block X for all. But by pass Y for a few and still block X.

periko · Feb 19, 2019, 7:51 PM

Hi.

Following this topic, we need to first create the ACL or u put the settings directly on the custom field?

Regards.

kevinmitky · Feb 19, 2019, 9:27 PM

@periko Put the settings directly into a custom field, this is the only place the ACLs are defined.

Reference: https://jpmens.net/2016/12/20/unbound-supports-views-for-local-data/

My implementation using the information in this post: https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/

periko · Feb 23, 2019, 12:56 AM

I had tested and works, in my layout, I got 2 networks:

-LAN
-VLAN

I setup my vlan not to use the dnsbl and works.

Thanks guys!!!

yeleek · Mar 6, 2019, 2:22 PM

Hi,

I too have managed to get this working thanks to the above.

One question though, if I use DNSBL Category (shallalist) instead of DNSBL Feeds I've noticed that the bypass no longer works.

I'm guessing this is because the name 'dnsbl' isn't correct when using a category. Any ideas please on the correct syntax? or other cause?

server:
    access-control-view: 192.168.2.3/32 bypass
    access-control-view: 192.168.2.0/24 dnsbl
    access-control-view: 192.168.1.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
server:include: /var/unbound/pfb_dnsbl.*conf

Thanks

kevinmitky · Mar 6, 2019, 2:22 PM

@yeleek Try removing the second 'server' from your options here. Your custom options should look like:

server:
    access-control-view: 192.168.2.3/32 bypass
    access-control-view: 192.168.2.0/24 dnsbl
    access-control-view: 192.168.1.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf

I've also noticed more problems with this when trying to set view 'bypass' for specific addresses inside of a subnet that is also a member of your 'dnsbl' view. I can't confirm whether this is actually an issue or just misconfiguration on my part, but I'd try the above and see if it works for you, even temporarily.

yeleek · Mar 6, 2019, 4:26 PM

@kevinmitky That appears to be working for now. Thank you :)

horse2370 · Mar 6, 2019, 7:30 PM

@yeleek Please note, if you do an update, disable and re-enable DNSBL that line will be modified again back to the standard entry. You will need to check each time and remove any leading "server:" to ensure your expected behavior works as expected.

Just an FYI as it caught me out and is now part of my standard checks following any modifications to the configuration of my pfSense

@ kevinmitky I am doing exactly what you described. I have my dnsbl view as the subnets and am specifying specific hosts on those subnets to bypass. These are Roku's devices that had news feeds that used block sites and I made a choice to allow it access for the convenience. Ensuring the host specific acl was before the subnet based ones was something I just do based on my background, but if you don't have it in that order, maybe that's an area to check. That and having to clear any host DNS caches made this a little more time consuming to test if I screwed up the config on pfSense :-)

TupleButter · Nov 19, 2019, 7:47 PM

Current syntax under Services > DNS Resolver > Custom Options with Pfblockerng enabled is:

private-domain: "plex.direct"
server:include: /var/unbound/pfb_dnsbl.conf**

I have a multiple devices I want to bypass dnsbl (192.168.1.50, 192.168.1.51, 192.168.1.52) but everything else on 192.168.1.0/24 I want running through dnsbl so as I understand it I should just copy and paste the following into the custom options field of the DNS resolver for this:

*server:
private-domain: "plex.direct"
access-control-view: 192.168.1.50/32 bypass
access-control-view: 192.168.1.51/32 bypass
access-control-view: 192.168.1.52/32 bypass
access-control-view: 192.168.1.0/24 dnsbl
view:
name: "bypass"
view-first: yes
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/pfb_dnsbl.*conf

horse2370 · Nov 17, 2019, 2:27 AM

@TupleButter Basically yes. although in your samples you have some "*" in places I don't expect. i.e. *server:

In my active config the last line is: -
[Edited] My original was incorrect as it was changed following an update. You will need to keep checking this line if there are any changes, as it gets auto added with server: prefixing it.

include: /var/unbound/pfb_dnsbl.*conf

TBH its been a while since I set this up, so not sure if you need to repeat the server: tag again.

As a note, if you ever enable blocking of banned or emerging hosts you will need to include that config file in each view

My custom options currently are: -

server:
so-reuseport: no
private-domain: "plex.direct"
# bypass view for Roku IP addresses
access-control-view: 192.168.1.51/32 bypass
access-control-view: 192.168.1.61/32 bypass
access-control-view: 192.168.1.83/32 bypass
access-control-view: 2601:xxxx:xxxx:xxxx::/64 dnsbl
access-control-view: 2601:xxxx:xxxx:xxxx::/64 dnsbl
access-control-view: 2601:xxxx:xxxx:xxxx::/64 dnsbl
access-control-view: 192.168.1.0/24 dnsbl
access-control-view: 192.168.2.0/24 dnsbl
access-control-view: 192.168.3.0/24 dnsbl
view:
name: "bypass"
view-first: yes
include: /var/unbound/host_entries.conf
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/host_entries.conf
# local-zone: "youtube.com" inform_deny
# local-zone: "facebook.com" inform_deny
include: /var/unbound/pfb_dnsbl.*conf

This ensures plex works, unbound is multithreaded, includes my IPv6 subnets (obscured in example) provide bypass for selected hosts (in this case only Roku and they are IPv4 only), denies access to banned or emerging hosts.
The two commented out local-zone's are my sledge hammer approach to blocking social media for some of the younger members in the house when they get grounded! They are not currently grounded :-)

ryk48 · Dec 18, 2019, 8:00 PM

I have followed the above and put this in my unbound custom options and it doesnt block the ads
server:
private-domain: "plex.direct"
access-control-view: 10.10.0.0/24 bypass
access-control-view: 10.0.0.0/24 dnsbl
access-control-view: 10.0.8.0/24 dnsbl
view:
name: "bypass"
view-first: yes
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/pfb_dnsbl.*conf

if i get rid of everything and put it back to what it was before which was the below then i get adblocking but of course it happens on every network. I just want adblocking on my guest network and openvpn network for now
server:
private-domain: "plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

May someone help please?

mcury · Dec 19, 2019, 4:52 PM

@ryk48 said in Bypassing DNSBL for specific IPs:

rivate-domain: "plex.direct"
server:include: /var/unbound/pfb_dnsbl.*co

Remove the server: from this line.
server:include: /var/unbound/pfb_dnsbl.*conf

It should be like this: include: /var/unbound/pfb_dnsbl.*conf

Note that every time you perform a change in pfblocker, you will have to remove the "server:" from unbound custom options.

ryk48 · Apr 3, 2020, 4:13 AM

@mcury
Right.. Its what i did above and what my current config is. What i mentioned is what i had before i made the changes which was the config below without all access control stuff.

I think my problem might be because im running an active directory domain and all my computers are set to use a windows dns server which forwards to pfsense to do dns over tls so im thinking no matter what network i put in the access control view it will be blocked if i do dnsbl on that network since pretty much everything has its dns set to my windows dns server, except the guest lan.
For example:
My windows dns server is on 10.10.0.0/24 network
my windows pcs are on 10.0.0.0/24
opendns computers are on 10.0.8.0/24
guest is on 192.168.10.0/24

my windows pcs have their dns server set to the dns server on the 10.10 network so i think if i dnsbl on the 10.0.0.0/24 network its not working because windows computers dns are pointed to the dns server on the 10.10.0.0/24 network which wouldnt be dnsbl. Also i think id have the same problem on my opendns network as well since its dns servers also point to my windows dns server so i can rdp into network pcs. If i am wrong in how this works please chime in. Sounds like i might need dns servers for each network?

Ideally i just want to do dnsbl on my guest and opendns networks because i want guests to have adblock. I also want to connect to my openvpn server from my phone and browse the net on my phone with no ads and in addition have the ability to rdp into my pcs and servers but how can i achieve that when the opendns network dns points to the windows server network?

kezzla · Apr 3, 2020, 4:13 AM

@ryk48 I have been looking for a pfsense solution to this for awhile. It seems the Unbound views might accomplish what I need as well, but what a pain in the ass to setup and manage. I have been investigating the Sensei plugin for Opnsense. It looks sooooo amazing and does exactly what you are asking about with ease. Policy based filtering! I just really like pfsense and didn’t want to have to reinstall my home router for one feature, but I am not seeing another option. Was hoping Sensei would be migrated to pfsense :P!

We’re you able to get this setup using unbound in pfsense?

ryk48 · Apr 3, 2020, 3:22 PM

@kezzla I was not. I figured since im having all of my devices on my network point to my AD DNS Server this wouldnt work. Guest lan would probably work but since i want to rdp from my phone and also block ads on my phone while connected to vpn to home this wouldnt work without affecting all pcs that use my ad dns servers.