Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfblockerng and domain lists

    pfBlockerNG
    2
    21
    9.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      louiss
      last edited by

      How can you create an IPv4 list with Pfblockerng that has just domains in it? I've tried to choose the whois format and point it to a text file list with one domain per line but it gives me a "list error" when I try and update it.

      I know that you can add domains (one per line) to the customer IPv4 section and it works great, but I want to be able to have a dynamic blacklist that updates regularly like you can with IP lists.

      Anyone have any idea?

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Hi Louiss,

        How did you format the file? it should just be the domain without any http etc… Also make sure that the pfSense box has access to the path of this file... You can also save it to /var/db/pfblockerng/ <your file="" name="">...

        Another option, is just to use the "Custom List" section at the bottom of the IPv4 Alias.</your>

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • L
          louiss
          last edited by

          The file was just plain text with domain (ex: cnn.com) with one domain name on each line. When i went to update or run the cron, it would show "list error" in the output. I did use the custom list and it works, but it takes a very long time to update when a large number of domains are listed so it is impractical to use in that way.

          I was trying to do avoid having to have the Pfsense DNS server/forwarded in the mix which is why DNSBL wasn't an option at first, but i'm thinking that is probably the way to go with what I am looking to do. Basically, these domains are coming from malware/C&C feeds so I want to be able to update them dynamically.

          1 Reply Last reply Reply Quote 0
          • L
            louiss
            last edited by

            While on the topic, is there anyway to log DNSBL entries and send them off via syslog to a remote server?

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              Send a screenshot of the IPv4 Alias .. It shouldn't have any issues reading that file then…

              Also goto the pfBlockerNG Logs Tab / Original IP Files / and select your file… Is it empty? or does it show the domains one per line?  If its not there, check the path to that file, as pfSense might not be able to see the file path...

              The DNSBL logs are written to  **  /var/log/pfblockerng/dnsbl.log**

              I don't write to the firewall.log or other pfSense logs, as it will flood those logs like crazy depending on what domains/ADvert servers you add …

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • L
                louiss
                last edited by

                Attached is a screenshot of the list. I used location of /root, but when I put IPs in this file it works fine. I only errors out when domains are used.

                Here is the error from output:

                ===[  IPv4 Process  ]=================================================

                [ dnslist ] Downloading update  .. completed ..
                [ pfB_TestIPBlock dnslist ] List Error ]

                Here is what the original log shows:

                Domain: /root/blocklist.txt

                3(NXDOMAIN)

                If I put IPs in the list and change format to Auto, it works fine. Seems to be just domains that cause the issue.

                ipv4alias.jpg
                ipv4alias.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  It seems that I am missing some code to translate a file of domain names to their respective IPs :) Not a typical use case… Will try to get that added into the next release... But you should be able to add those domains to the Custom List and check the "Enable Domain/AS" checkbox....

                  But ultimately, best to use DNSBL for Domains...

                  Thanks for reporting...

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • L
                    louiss
                    last edited by

                    Glad to help. Being used to working with commercial vendors, it isn't often I get to speak to the developers directly. I appreciate the work you put into this tool. It is vastly helpful.

                    As far as logging, I just created a rule to block traffic to the DNSBL port 8081 and 8443 so it seems to be logging just fine.

                    1 Reply Last reply Reply Quote 0
                    • L
                      louiss
                      last edited by

                      Seems that the Alerts section for DNSBL isn't functioning properly. I don't see anything under Alerts and DNSBL, but DNSBL is definitely functioning as expected as far as blocking domains.

                      Here is what the log file shows:

                      [prompt]/var/log/pfblockerng: ls
                      dnsbl_error.log pfblockerng.log

                      [prompt]/var/log/pfblockerng: cat dnsbl_error.log
                      2016-06-16 09:09:05: (log.c.194) server started
                      2016-06-16 09:15:24: (server.c.1572) server stopped by UID = 0 PID = 54362
                      2016-06-16 09:17:01: (log.c.194) server started

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        @louiss:

                        As far as logging, I just created a rule to block traffic to the DNSBL port 8081 and 8443 so it seems to be logging just fine.

                        The rule(s) that you created here is what broke DNSBL Logging to the Alerts Tab… Instead of using "Deny/reject"... Move the rule to the "Floating Tab" and use "Match" rule instead...  Not sure tho what these rules will log. Might just be the LAN device that is being redirected to the DNSBL VIP... Won't show the Domain being blocked, or the List that caused the block....

                        I have on the todo list, adding syslog for DNSBL...

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • L
                          louiss
                          last edited by

                          Ok tried that, but still not seeing anything under alerts for DNSBL. The floating rules provided the same information that my deny rules did, basically just the source IP and 127.0.0.1 as destination and port 8081/8444. I even removed the package and re-configured in Pfsense. I don't even see the dnsbl.log, only dnsbl.error.log.

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            Checklist:

                            1. DNSBL Service is running?
                            2. Ensure the LAN devices have pfSense Resolver as its only DNS Server
                            3. Can the LAN devices ping the DNSBL VIP?
                            4. Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • L
                              louiss
                              last edited by

                              1. DNSBL Service is running?

                              Verified it is running.

                              1. Ensure the LAN devices have pfSense Resolver as its only DNS Server

                              Yes, this is the case.

                              1. Can the LAN devices ping the DNSBL VIP?

                              I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.

                              1. Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?

                              No, I just get a timed out page.

                              1 Reply Last reply Reply Quote 0
                              • L
                                louiss
                                last edited by

                                So just to test, I changed the DNSBL VIP to match the IP address on the Bridge interface which is also the DNS server. This works, I see a 1x1 and I see Alerts now for DNSBL.

                                What do most people use for this VIP? The client needs to be able to route to it obviously. I'm wondering if the bridged interfaces (LAN/WAN) have anything to do why a bogus VIP doesn't respond in this case?

                                1 Reply Last reply Reply Quote 0
                                • BBcan177B
                                  BBcan177 Moderator
                                  last edited by

                                  @louiss:

                                  1. Can the LAN devices ping the DNSBL VIP?

                                  I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.

                                  1. Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?

                                  No, I just get a timed out page.

                                  ok need to fix those issues… If you have a multi-segmented LAN, there is an option to auto-create a Floating Permit Rule to allow other LAN subnets to hit the DNSBL VIP... See the checkbox in the DNSBL Tab...

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 0
                                  • L
                                    louiss
                                    last edited by

                                    With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.

                                    1 Reply Last reply Reply Quote 0
                                    • BBcan177B
                                      BBcan177 Moderator
                                      last edited by

                                      @louiss:

                                      With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.

                                      First step is to figure out what is blocking the LAN devices from hitting (ping and browse) the DNSBL VIP… Could be a Firewall Rule/NAT/Limiter etc....

                                      "Experience is something you don't get until just after you need it."

                                      Website: http://pfBlockerNG.com
                                      Twitter: @BBcan177  #pfBlockerNG
                                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        louiss
                                        last edited by

                                        Here is what I found. I restored my Layer 3 configuration for Pfsense where the LAN interface is routing and things work as expected even when bogus DNSBL VIP isn't routable to rest of network. I use 172.16.100.0/24 for LAN and 198.18.100.100 for VIP. It seems like this is because I was in bridge mode. Worst case, I just don't have the DNSBL logs with domains in bridge mode and just raw logs to 8081/8443.

                                        1 Reply Last reply Reply Quote 0
                                        • BBcan177B
                                          BBcan177 Moderator
                                          last edited by

                                          Bridges are generally an issue… If you run an "ifconfig" does the bridged interface show an IP? Keep note that the DNSBL VIP is an "alias IP", so the chosen DNSBL Interface should be a real interface. Not an expert in bridges either... :)

                                          "Experience is something you don't get until just after you need it."

                                          Website: http://pfBlockerNG.com
                                          Twitter: @BBcan177  #pfBlockerNG
                                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                          1 Reply Last reply Reply Quote 0
                                          • L
                                            louiss
                                            last edited by

                                            172.16.100.200 is the IP I assigned and is being used as DNS server. 198.18.100.100 is the VIP.

                                            bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                                                    ether 02:7e:6a:cb:6f:00
                                                    inet 172.16.100.200 netmask 0xffffff00 broadcast 172.16.100.255
                                                    inet 198.18.100.100 netmask 0xffffffff broadcast 198.18.100.100</up,broadcast,running,simplex,multicast>

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.