DNSBL stops working when pfsense is a forwarder

nathan.snow

So, here's my current configuration:

1: MS AD/DNS/DHCP server
2: pfSense gateway/firewall/ubound/pfblockerng
3: Cloudflare DNS/HTTPS server

• All incoming/outgoing DNS is blocked on all gateways. Only HTTPS traffic is allowed to escape. Internal DNS (port 53) is allowed.
• I've had pfSense be the main DNS server but things like reverse DNS, AD Integrated DNS, dynamic secure updates, etc… end up having issues. So it's best if I leave the MS AD/DNS/DHCP server as the main.

Here's a sketch for some visuals.
https://i.imgur.com/njamQSx.png

I currently have pfsense set as the only forwarder for MS DNS and the DoH host is set as a forwarder on unbound. I'm hoping that DNS requests that aren't related to the domain are pulled from DoH, filtered through pfblockerng/dnsbl, and delivered to the clients. But this is where it all goes wrong…. I am resolving DNS requests as expected and after doing packet captures I see that pfsense is indeed working with DoH to resolve non-authoritative queries. But pfblockerng/dnsbl just sits there and drools. I don't see any ads being blocked, nothing in pfblockerng alerts, etc…

* I'm not too worried about performance. Once you hit a site, it's cached. Next queries are almost instant.

Here's my config (LAN IPs have been obfuscated. They are actually in the 10.100.0.0/16 range):

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 1
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# Interface IP(s) to bind to
interface: 10.10.10.1
interface: 2602:xxxx:xxxx:xxxx::1
interface: 127.0.0.1
interface: ::1

# Outgoing interfaces to be used
outgoing-interface: 10.10.10.1
outgoing-interface: 2602:xxxx:xxxx:xxxx::1
outgoing-interface: 127.0.0.1
outgoing-interface: ::1

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf

# Unbound custom options
server:include: /var/unbound/pfb_dnsbl.*conf

forward-zone:
      name: "example.org"
      forward-addr: 10.10.10.20
      forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

forward-zone:
      name: "."
      forward-addr: 10.10.10.35
      forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

pfadmin

You have to choose DNS resolver and then check forwarding. If you choose DNS Forwarder, you dont use unbound but dnsmasq.

pfadmin

nathan.snow

I'm using the DNS resolver already. And instead of checking the forward box, I've specified custom forward parameters.

RonpfS

Did you change DNSBL VIP? By default it's 10.10.10.1.

nathan.snow

Nope, still the default. And I've configured the firewall rules. If I browse to the ip, I see the 1x1 pixel gif.

RonpfS

Virtual IP Address

This address should be in an Isolated Range that is not used in your Network.
Rejected DNS Requests will be forwarded to this VIP (Virtual IP)
RFC1918 Compliant - (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
Changes to the DNSBL VIP will require a Force Reload - DNSBL to take effect.

nathan.snow

@ronpfs Oh, that is actually not a problem. I changed all the IPs in the config to 10.10.10.x for obfuscation. My LAN/VLANs all use the 10.100.0.0/16 range. So the VIP being on 10.10.10.1 isn't an issue.