My new pfBlockerNG is showing 100% on the dashboard. That's not right is it?

BBcan177

@roveer said in My new pfBlockerNG is showing 100% on the dashboard. That's not right is it?:

How do I tell how many domains are in DNSBL?
Widget will show the total DNSBL Entries or review the pfblockerng.log

Currently DHCP Registration and Static DHCP are both checked in the resolver. Is this a misconfiguration? I probably turned some of this stuff on so I would see names in BandwidthD (which is does).

When using these options and depending on how you have configured DHCP; it can be restarting Unbound on a more frequent basis to update the DHCP entries (defaults to every hour i believe).

The more domains that are used, the longer it may take to reload the Resolver. So if you can, best to change the DHCP lease time to something longer. Its also good to set DNSBL to update once per day (or use the new Live Sync feature)

roveer

@bbcan177 said in My new pfBlockerNG is showing 100% on the dashboard. That's not right is it?:

Widget will show the total DNSBL Entries or review the pfblockerng.log

I turned on live sync and restarted unbound from the services menu and cleared the counts from the widget. It now goes to 100% at the first update. Before It would start at a lower number and it would eventually make it's way to 100%.

BBcan177

@roveer

Run a Force Reload - DNSBL to enable the changed Live sync setting. Clear the DNSBL counter following the update.

roveer

@bbcan177 said in My new pfBlockerNG is showing 100% on the dashboard. That's not right is it?:

@roveer

Run a Force Reload - DNSBL to enable the changed Live sync setting. Clear the DNSBL counter following the update.

Did the force reload, waited for it to finish, cleared counters and it went to 100% at first update again.

BBcan177

@roveer

When you clear the DNSBL counters, are they all going to zero on the DNSBL line? Your previous screenshot seems to show 17k blocked events after clearing the counters?

roveer

@bbcan177 said in My new pfBlockerNG is showing 100% on the dashboard. That's not right is it?:

@roveer

When you clear the DNSBL counters, are they all going to zero on the DNSBL line? Your previous screenshot seems to show 17k blocked events after clearing the counters?

I cleared counters again and watched. (EDIT: i've been clearing "packets". If I'm supposed to be clearing counters, I need to know where I do that) This time It took 6 updates before it went to 100% and during the updates the percentages dropped a few times but then went to 100% (current screen shot)

BBcan177

@roveer

So from the screenshot, it blocked 42 events with only 2 Resolver DNS queries... So for some reason its clearing the Resolver queries counter prematurely... I will have to try and replicate this and see what I can find... Maybe try without DHCP Reg enabled in the Resolver to see if we can limit the issue down?

Another option is to increase the Resolver Log verbosity to "2" and review the Resolver.log for any other clues to see what is occurring when it goes to 100%. (can run this cmd from the shell to see the live tail events: clog -f /var/log/resolver.log )

roveer

@bbcan177

This firewall has a ipsec vpn using dyndns address. I'm pretty sure the only network I have defined in pfBlockerNG is LAN. Just wanted to throw that out there. I'm going to turn off the DNS registration and see what happens. Then I'll change the verbosity but I'll have to do that tomorrow.

roveer

It seems to be behaving better today. So last night before midnight I had unchecked the DHCP registration per your request and it went right back to 100% after clearing the counts.

I'm assuming at midnight it did an update/reset.

This morning I'm seeing the following:

RonpfS

With DHCP registration checked, unbound restart with every new lease.
When you save DHCP settings, it also restart unbound. So it "normal" behaviour to see the 100% in the Widget.

roveer

@ronpfs said in My new pfBlockerNG is showing 100% on the dashboard. That's not right is it?:

With DHCP registration checked, unbound restart with every new lease.
When you save DHCP settings, it also restart unbound. So it "normal" behaviour to see the 100% in the Widget.

At this point I can live without an accurate % as long as nothing else is happening that would cause negative effects. At this point I am going to leave settings where they are and see what happens. Right now I'm getting an accurate measurement of blocking at 22.36% (4,382 of 19,608), and my dns names are showing up in BandwidthD which I expect will disappear at some point and revert to "configure dns to see names" If/when it does I'll decide which is more important, knowing % blocked or resolving names.

Roveer