Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    EasyList Alias missing upon setup

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffboyce
      last edited by

      Greetings -

      So I believe that I setup pfBlockerNG properly using the guides provided here in the forum.  However the only thing that doesn't seem to be working is EasyList ad blocking, and I think it is because I am missing a firewall alias specific for it.

      I have checked the logs and my system shows that it has downloaded two EasyList Header files; one that is an IP list of 20 IPs, and another that is a txt flie containing 4,000 plus domain names.

      A firewall alias was created for the IP list (pfB_DNSBLIP), but I see no firewall alias or rule that would use the text file containing the 4,000 plus domains.  On my dashboard widget I do see a listing under aliases for DNSBL_EasyList, however it does not show a pop-up diplaying the underlying list like the other aliases do.

      I think all I need to do is create a formal alias for the EasyList, but wanted to check with the list to confirm this, and ask if there was any quirks I should be aware of when creating this.  Or, am I entirely off base and I need to do something else completely different.

      Thanks,
      Jeff

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        DNSBL and EasyList are "Domain" based… They do not create Firewall Rules or Aliases... This is why the Widget doesn't show a popup like the IP based Aliases...

        DNSBL has a DNSBL_IP option, that collects any IPs found in the DNSBL Domain based Feeds, and creates an IP Alias and associated firewall rule(s)...

        DNSBL utilizes the Unbound Resolver for its blocking...

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • J
          jeffboyce
          last edited by

          Ok, that explains everything that I am seeing, and it appears to be correct.

          I have my dns (unbound) resolver turned on and it seems to be resolving my local and external addresses properly.

          I guess I need to figure out a simple way to determine if EasyList is working properly.  Probably check an obvious domain listed on EasyList and see what happens.

          Thanks,
          Jeff

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            Goto the Log Browser Tab, and you can view the DNSBL lists… then try nslookup those domains... Should resolve to the DNSBL VIP....

            Anything that is blocked should show in the Alerts Tab... (Browser based activity only)...

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • J
              jeffboyce
              last edited by

              Ok, so I believe that I have a DNS puzzle that I need to solve.  None of the domains on the block list resolve to the DNSBL virtual IP, although it shows that they should be directed there looking at the list in the log browser.  Also the only thing showing in my Alerts tab is the few country blocks that I have setup.

              I think my DNS puzzle is an artifact of my network configuration.  Since long before I set up my pfSense box as the network gateway / firewall, I have had my network DNS / DHCP service running on a CentOS 6 virtual machine using dnsmasq (192.168.112.51).  The pfSense box has the DNS (Unbound) Resolver turned on, and it works to resolve external addresses.

              In the pfSense System/General Settings I have four dns servers listed in the following order, the dnsmasq box, two from my upstream service provider, then a Google public DNS server.  Under System/General Settings when I check the box identified as Disable DNS Forwarder, I am able to resolve my internal lan boxes (and external addresses).  If I uncheck this same setting it adds 127.0.0.1 to the top of my dns resolver list and I no longer can resolve my internal lan addresses (but still resolve external addresses), presumably because resolving stops at local host for local addresses and does not forward the request on to my dnsmasq box.

              I tried an nslookup on one of the sites with the Disable DNS Forwarded box unchecked and got the following response.

              Server: 127.0.0.1
              Address: 127.0.0.1#53

              Non-authoritative answer:
              Name: camsitecash.com
              Address: 185.13.90.140

              With the Disable DNS Forwarded box checked, I get the following response.

              Server: 192.168.112.51
              Address: 192.168.112.51#53

              Non-authoritative answer:
              Name: camsitecash.com
              Address: 185.13.90.140

              Neither options seems to resolve to the DNSBL virtual IP.  So I am in a quandry regarding how to solve this.  My goal would be to be able to have my pfSense box show that it resolves the local lan addresses, while also being able to resolve the EasyList sites to the DNSBL virtual IP (i.e., blocking works).  Anyone have any ideas for me to try?  Thanks.

              Jeff

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                If you still have an internal DNS server on the Centos (Shouldn't need it since that can be done in pfSense), then you need to set the LAN devices to point to the Centos, and then have the Centos "External forwarder" set to pfSense Resolver. This way the resolver will fiter the DNS requests with DNSBL.

                It would make the most sense, to have all the Lan Devices point to pfSense only for its DNS.

                You can use the Resolver in "Resolver mode", meaning it will use the Root DNS servers for resolution, so it doesn't matter what is defined in the pfSense General Tab. However, when using the Resolver in "Resolver mode", its best to have the General Settings defined as 127.0.0.1, so that any DNS request from the pfSense box itself, is directed to the DNS resolver…

                You can also set the Resolver to be in "Forwarder mode", and this will utilize the DNS servers that are configured in the General Tab.

                I would recommend to use the Resolver in Resolver mode, and enable DNSSEC...

                From any LAN device, you should be able to ping the DNSBL VIP, and get a reply. You should also be able to browse to the DNSBL VIP and get a 1x1 pix.

                If you have a multi-segmented LAN, you might also need to enable the DNSBL Permit firewall rule option in the DNSBL tab, to allow the other LAN segments to access the DNSBL VIP on the LAN network.

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • J
                  jeffboyce
                  last edited by

                  Ok, I have to put out another fire today, but I did a quick test and one of my LAN Window boxes can ping the DNSBL VIP.  And also browsing to it gets the 1x1 pix.  So that is good.  I don't really have the time to put into switching my DNS from the CentOS box to pfSense (but I can understand the reason for doing so).  So I am going to have to make them work together.  I will look into your other suggestions over the weekend.  Thanks.

                  Jeff

                  1 Reply Last reply Reply Quote 0
                  • J
                    jeffboyce
                    last edited by

                    Ok, I am getting close on this, but am still puzzled about what is happening.  The Windows boxes on my lan have their DNS reference pointing to the dnsmasq box (192.168.112.51), and the dnsmasq box only has the pfSense gateway/firewall box (192.168.112.11) listed in its /etc/resolve.conf file, and therefore is fowarding all DNS queries to the pfSense box.  The pfSense box has DNS resolver enabled.  In the System/General Setup there are two upstream DNS servers from my provider, and one public DNS server from Google.  The Disable DNS Forwarder box on the General Setup page is not checked.  Therefore 127.0.0.1 shows as the first DNS server on the dashboard page.

                    The EasyList sites are blocked when queried from the pfSense box.
                    nslookup ad.doubleclick.net
                    Server: 127.0.0.1
                    Address: 127.0.0.1#53
                    Name: ad.doubleclick.net
                    Address: 10.10.10.1

                    If I query the same site from a test Linux box on the local network I get the same results.
                    [root@disect ~]# nslookup ad.doubleclick.net
                    Server:        192.168.112.51
                    Address:        192.168.112.51#53
                    Name:  ad.doubleclick.net
                    Address: 10.10.10.1

                    If I query the same site from a Windows box on the local network I get a different result.  I even made sure to flush the Windows dns cache before doing the query.
                    C:\Users\jeffb> nslookup ad.doubleclick.net
                    Server:  taxa.mei.lan
                    Address:  192.168.112.51
                    Name:    dart.l.doubleclick.net
                    Address:  216.58.216.134
                    Aliases:  ad.doubleclick.net

                    So I started a Wireshark trace on the Windows box to see what was happening.  Below is the summary of the final two sets of packets from the query and response exchange.

                    1267 6.512617000 192.168.112.101 192.168.112.51 DNS 78 Standard query 0x0004  A ad.doubleclick.net
                    1269 6.513636000 192.168.112.51 192.168.112.101 DNS 94 Standard query response 0x0004  A 10.10.10.1

                    1271 6.524775000 192.168.112.101 192.168.112.51 DNS 78 Standard query 0x0005  AAAA ad.doubleclick.net
                    1273 6.525384000 192.168.112.51 192.168.112.101 DNS 78 Standard query response 0x0005

                    A traceroute to ad.doubleclick.net from the Windows box shows that it initially goes to the pfSense box, then goes out to an IP of my upstream provider, then on to obtain the correct DNS number.

                    From the Wireshark data it appears that DNS is returning the virtual IP of 10.10.10.1 for the DNS block list.  Searching the Wireshark data I can not see the address that the Windows box is showing at the command line response to the nslookup (216.58.216.134) anywhere.  So I don't understand why the Windows box is getting the correct DNS address for this site, while a Linux box on the lan, and the pfSense box are both returning the virtual IP for the block list.  What else should I be looking for, or looking at?  Thanks.

                    Jeff

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.