DNSBL not activating

RonpfS

Have a look at

https://forum.netgate.com/topic/91736/pfblockerng-v2-0-w-dnsbl
https://forum.netgate.com/topic/102967/pfblockerng-v2-1-w-tld

to see the requirements and how to configure.

Did you configure any DNSBL Groups ?
Did you ran a Force Update after saving the changes ? or Force Reload DNSBL ?

Check the logs tab.

BBcan177

Try this tutorial:
https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

CyberMinion

@RonpfS Thanks for the suggested links, but I'm afraid I'm not finding much there that seems to help. I have set up two DNSBL groups, and I did force an update (which was successful) I have now done this a number of times, and rebooted PFsense altogether a few times as well.

@BBcan177 That tutorial seems to be for a slightly different version of pfBlockerNG. I have 2.1.4_16. Anyway, I walked through it as best I could, verifying my work. I found no issues.

CyberMinion

I see that under the checkbox to enable DNSBL, it says "To Utilize, Unbound DNS Resolver must be enabled." I went ahead and re-enabled the DNS server, mopped up the mess, and restarted. Still no luck.

I might have found at least part of the issue: My DNS server was using request forwarding. When I disabled that and reinitialized, The DNSBL listing on my dashboard turned to a checkbox. However, I tried some links on the DNSBL lists, and after getting a few 404s, I found several which I were able to access through the firewall. I am not using the TLD check, but I went direct to the ad company's TLD, as was specified in the blocklist, so that shouldn't matter.

Any thoughts?

RonpfS

You are slowly getting there

If you haven't enabled TLD, I would disable Live Sync Reload until BBcan177 can debug that part of the code.

After Restarting Unbound, I would have done a Force Reload DNSBL.

Then inspect pfblockerng log, resolver log, system log to spot error messages.

Do some nslookup from the box for the domain that are supposed to be block. The answer should be the VIP.
Go to the Logs tab, DNSBL file to find those domain names.

CyberMinion

@ronpfs Slowly indeed....sorry, this is my first experience with PFsense and pfBlockerNG.

So, where in the blazes do I find "Live Sync Reload"? I have "pfBlockerNG XMLRPC Sync" disabled, but that doesn't sound like what you are talking about. I may enable TLD detection, but I also have Snort running on the same box, and based on the resource warning on TLD detection, I wasn't sure if I had enough to turn this on too...I would think it couldn't be too bad, but what do I know?

Question: What in this case of DNS config is meant by "unbound"?

I went to the DNSBL files, and checked a few URLs that it pulled from feeds. They were successfully redirected to the internal server. While I do have deduplication on, I don't see any reason that TLDs I manually pull from feeds should not be on the internal block list.

RonpfS

Live Sync Reload may only be available with the pfblockerng-devel version.

unbound is the services used by the DNS Resolver.

As for the warning about TLD, depending on the number of DNSBL entries you have, the TLD might not be able to complete, so after a point, it stops reduce domain names to TLD and just put the domains as they are found in the feed.

CyberMinion

You might be correct. I did not get the dev version.

Okay, so if it gets to be too much, it has that fail-safe option. Good to know! It seems to me that a simple if statement looking for *. *. *. *. * URL. *. *. *. *
for each lookup would be all that is needed, but I'm no developer, so I assume it's more complicated than that. Anyway, I think I'll try enabling it and see what happens.

Thanks for the help!

CyberMinion

With TLD enabled, I hardly even notice a change in resource load. I guess I'll keep it.

How would I go about adding custom domain names to be blocked? Do I need to make my own feed, just so DNSBL pulls it down, or can I enter then directly in somewhere?

Thanks!

CyberMinion

Apparently the firewall did run out of memory today. Also, when I ran a reload on my DNSBL entries, I got this error: "TLD Domain count exceeded. [ 100000 ] All subsequent Domains listed as-is"

I don't know how I reached that cap...

RonpfS

If you inspect the pfblockerng.log it has been saying that for every Cron update or Force Reload DNSBL since you enable TLD.

To track memory usage, use Status Monitoring , System Memory