OpenDNS and pfBlockerNG DNSBL
-
I am using OpenDNS and I have OpenDNS configured with my account information in the Dynamic DNS service.
Does pfBlockerNG DNSBL function when using OpenDNS?
I understand the resolver passes incoming LAN DNS queries to OpenDNS servers (i.e. forwarding mode), but does the configuration allow for pfBlockerNG to intercept the DNS queries before being forwarded to OpenDNS servers?
System/General Setup
DNS Server Settings
Entered the OpenDNS server IP addresses
Unchecked "Allow DNS server list to be overridden by DHCP/PPP on WAN"
Unchecked "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall"Services/DNS Resolver/General Settings
Checked "Enable DNS resolver"
System Domain Local Zone Type "Transparent"
Unchecked "Enable DNSSEC Support"
Checked "Enable Forwarding Mode" -
If you plan on using the DNSBL feature, you will need to use the DNS Resolver for your DNS queries, the DNS Forwarder is not an option for DNSBL. Its probably best to ensure that the DNS Resolver is working before using DNSBL.
The DNS Resolver is developed by NLnet Labs and is named 'Unbound'. It is a validating, recursive and caching DNS resolver. https://www.unbound.net/index.html
Some recommendations:
-
The DNS Resolver can also be used in 'Forwardering mode'; however its best to not use this 'Forwarding mode' and keep it in 'resolver mode' as this will query the Root DNS servers for the DNS queries instead of relying on an ISPs DNS etc…
-
If you use the 'DNS Resolver Forwarder mode', only configure 'DNSSEC' if the configured DNS servers support DNSSEC. The enabling of 'DNSSEC' to harden your DNS security is highly recommended.
-
Disable the two "DHCP registrations" checkboxes, unless you really require those options.
Here is a good primer about the DNS Resolver (Unbound) https://calomel.org/unbound_dns.html
-
-
Thanks, pfBasic. However, I'm still looking for confirmation of how pfBlockerNG DNSBL interacts with the DNS Resolver Forwarding Mode. The quote clearly identifies that pfBlockerNG DNSBL does not work with DNS Forwarder. But what about DNS Resolver Forwarding Mode? I'm assuming DNS queries take different paths using DNS Forwarder or DNS Resolver Forwarding Mode. Can pfBlockerNG DNSBL be configured to intercept using the latter?
I'm using OpenDNS with DNS Resolver Forwarding Mode. OpenDNS doesn't work in Resolver mode.
In the meantime, I clearly see pfBlockerNG working with IPv4 lists.
-
Yeah re read it, it talks about resolver in forwarding mode.
-
The DNS Resolver can also be used in 'Forwardering mode'; however its best to not use this 'Forwarding mode' and keep it in 'resolver mode' as this will query the Root DNS servers for the DNS queries instead of relying on an ISPs DNS etc…
This quote does not appear to explicitly confirm or deny that pfBlockerNG DNSBL can intercept DNS queries when routed through the DNS Resolver in Forwarding Mode. Perhaps I don't understand the pathway of the queries existing the Resolver while in Forwarder mode to make this judgement. The attached Unbound tutorial link doesn't address the pathways for Forwarding Mode.
It is confirmed that queries cannot be intercepted by DNSBL when passed through the DNS Forwarder.
It is confirmed that queries can be intercepted by DNSBL when passed through the DNS Resolver in Resolver Mode.
Can queries be intercepted by DNSBL when passed through the DNS Resolver in Forwarder Mode?
-
I've never tried it personally, I think ultimately DNSBL has to be able to send DNS queries that match one of your lists to the DNSBL VIP which from I understand essentially black holes the DNS request locally.
My interpretation of that statement was that if you were using Unbound with Forwarding enabled then it could work but was not recommended. If you are not using Unbound at all then it can't work. But my interpretation may very well be wrong.
I also posted that quote because it's from the maintainer of pfBlockerNG & DNSBL, so it's a good thread to read and also probably the best place for you to ask this question. BBCan177 is probably one of the most patient and knowledgeable users on this forum, if you ask there he will almost certainly answer you quickly and correctly.
-
Thanks for share your knowledge, pfbasic. I'll elevate my question to the appropriate thread. In the meantime, I will disable pfBlocker IPv4 and see if any "hits" appear on the DNSBL log. Since the past few days, I see thousands of IPv4 list hits (using the Firehol IPv4 list) and zero DNSBL hits. Perhaps the Firehol list is so good, DNSBL has nothing to do? I might also put a false-flag entry into the DNSBL list and purposefully attempt to trigger it.
-
Some recommendations:
- The DNS Resolver can also be used in 'Forwardering mode'; however its best to not use this 'Forwarding mode' and keep it in 'resolver mode' as this will query the Root DNS servers for the DNS queries instead of relying on an ISPs DNS etc…
As per above… DNSBL requires the DNS Resolver (Unbound) to be used... You can use either the DNS Resolver Forwarding mode or the DNS Resolver mode.
First ensure that all your LAN devices are pointing their DNS settings to pfSense only. Then DNSBL will filter those requests.
After that the Resolver in Forwarding mode will look to the DNS Server settings that are configured in the pfSense General Settings tab. So if you wanted to use OpenDNS, you could add those DNS servers there. Then enable the Forwarding mode option in the DNS Resolver. Also note that the DNSSEC option cannot be used with OpenDNS as they use their own alternative…
If you have the DNS Resolver in non-forwarder mode, than the Resolver will use the 13 Root DNS servers for DNS resolution.
-
First ensure that all your LAN devices are pointing their DNS settings to pfSense only. Then DNSBL will filter those requests.
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
-
I am logging DNSBL query intercepts.
pfBlockerNG works in both IPv4 and DNSBL modes with the DNS Resolver in Forwarding Mode.
