Pfblockerng and domain lists
-
How can you create an IPv4 list with Pfblockerng that has just domains in it? I've tried to choose the whois format and point it to a text file list with one domain per line but it gives me a "list error" when I try and update it.
I know that you can add domains (one per line) to the customer IPv4 section and it works great, but I want to be able to have a dynamic blacklist that updates regularly like you can with IP lists.
Anyone have any idea?
-
Hi Louiss,
How did you format the file? it should just be the domain without any http etc… Also make sure that the pfSense box has access to the path of this file... You can also save it to /var/db/pfblockerng/ <your file="" name="">...
Another option, is just to use the "Custom List" section at the bottom of the IPv4 Alias.</your>
-
The file was just plain text with domain (ex: cnn.com) with one domain name on each line. When i went to update or run the cron, it would show "list error" in the output. I did use the custom list and it works, but it takes a very long time to update when a large number of domains are listed so it is impractical to use in that way.
I was trying to do avoid having to have the Pfsense DNS server/forwarded in the mix which is why DNSBL wasn't an option at first, but i'm thinking that is probably the way to go with what I am looking to do. Basically, these domains are coming from malware/C&C feeds so I want to be able to update them dynamically.
-
While on the topic, is there anyway to log DNSBL entries and send them off via syslog to a remote server?
-
Send a screenshot of the IPv4 Alias .. It shouldn't have any issues reading that file then…
Also goto the pfBlockerNG Logs Tab / Original IP Files / and select your file… Is it empty? or does it show the domains one per line? If its not there, check the path to that file, as pfSense might not be able to see the file path...
The DNSBL logs are written to ** /var/log/pfblockerng/dnsbl.log**
I don't write to the firewall.log or other pfSense logs, as it will flood those logs like crazy depending on what domains/ADvert servers you add …
-
Attached is a screenshot of the list. I used location of /root, but when I put IPs in this file it works fine. I only errors out when domains are used.
Here is the error from output:
===[ IPv4 Process ]=================================================
[ dnslist ] Downloading update .. completed ..
[ pfB_TestIPBlock dnslist ] List Error ]Here is what the original log shows:
Domain: /root/blocklist.txt
3(NXDOMAIN)
If I put IPs in the list and change format to Auto, it works fine. Seems to be just domains that cause the issue.
-
It seems that I am missing some code to translate a file of domain names to their respective IPs :) Not a typical use case… Will try to get that added into the next release... But you should be able to add those domains to the Custom List and check the "Enable Domain/AS" checkbox....
But ultimately, best to use DNSBL for Domains...
Thanks for reporting...
-
Glad to help. Being used to working with commercial vendors, it isn't often I get to speak to the developers directly. I appreciate the work you put into this tool. It is vastly helpful.
As far as logging, I just created a rule to block traffic to the DNSBL port 8081 and 8443 so it seems to be logging just fine.
-
Seems that the Alerts section for DNSBL isn't functioning properly. I don't see anything under Alerts and DNSBL, but DNSBL is definitely functioning as expected as far as blocking domains.
Here is what the log file shows:
[prompt]/var/log/pfblockerng: ls
dnsbl_error.log pfblockerng.log[prompt]/var/log/pfblockerng: cat dnsbl_error.log
2016-06-16 09:09:05: (log.c.194) server started
2016-06-16 09:15:24: (server.c.1572) server stopped by UID = 0 PID = 54362
2016-06-16 09:17:01: (log.c.194) server started -
As far as logging, I just created a rule to block traffic to the DNSBL port 8081 and 8443 so it seems to be logging just fine.
The rule(s) that you created here is what broke DNSBL Logging to the Alerts Tab… Instead of using "Deny/reject"... Move the rule to the "Floating Tab" and use "Match" rule instead... Not sure tho what these rules will log. Might just be the LAN device that is being redirected to the DNSBL VIP... Won't show the Domain being blocked, or the List that caused the block....
I have on the todo list, adding syslog for DNSBL...
-
Ok tried that, but still not seeing anything under alerts for DNSBL. The floating rules provided the same information that my deny rules did, basically just the source IP and 127.0.0.1 as destination and port 8081/8444. I even removed the package and re-configured in Pfsense. I don't even see the dnsbl.log, only dnsbl.error.log.
-
Checklist:
- DNSBL Service is running?
- Ensure the LAN devices have pfSense Resolver as its only DNS Server
- Can the LAN devices ping the DNSBL VIP?
- Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?
-
- DNSBL Service is running?
Verified it is running.
- Ensure the LAN devices have pfSense Resolver as its only DNS Server
Yes, this is the case.
- Can the LAN devices ping the DNSBL VIP?
I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.
- Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?
No, I just get a timed out page.
-
So just to test, I changed the DNSBL VIP to match the IP address on the Bridge interface which is also the DNS server. This works, I see a 1x1 and I see Alerts now for DNSBL.
What do most people use for this VIP? The client needs to be able to route to it obviously. I'm wondering if the bridged interfaces (LAN/WAN) have anything to do why a bogus VIP doesn't respond in this case?
-
- Can the LAN devices ping the DNSBL VIP?
I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.
- Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?
No, I just get a timed out page.
ok need to fix those issues… If you have a multi-segmented LAN, there is an option to auto-create a Floating Permit Rule to allow other LAN subnets to hit the DNSBL VIP... See the checkbox in the DNSBL Tab...
-
With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.
-
With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.
First step is to figure out what is blocking the LAN devices from hitting (ping and browse) the DNSBL VIP… Could be a Firewall Rule/NAT/Limiter etc....
-
Here is what I found. I restored my Layer 3 configuration for Pfsense where the LAN interface is routing and things work as expected even when bogus DNSBL VIP isn't routable to rest of network. I use 172.16.100.0/24 for LAN and 198.18.100.100 for VIP. It seems like this is because I was in bridge mode. Worst case, I just don't have the DNSBL logs with domains in bridge mode and just raw logs to 8081/8443.
-
Bridges are generally an issue… If you run an "ifconfig" does the bridged interface show an IP? Keep note that the DNSBL VIP is an "alias IP", so the chosen DNSBL Interface should be a real interface. Not an expert in bridges either... :)
-
172.16.100.200 is the IP I assigned and is being used as DNS server. 198.18.100.100 is the VIP.
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 02:7e:6a:cb:6f:00
inet 172.16.100.200 netmask 0xffffff00 broadcast 172.16.100.255
inet 198.18.100.100 netmask 0xffffffff broadcast 198.18.100.100</up,broadcast,running,simplex,multicast>
