Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd IP's address in PI-hole with PFblocker (DoD for one :scream:)

    Scheduled Pinned Locked Moved pfBlockerNG
    20 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • randombitsR
      randombits
      last edited by randombits

      Yep, that appeared to stop it - Thanks John !
      It seemed odd with batches of IP's more or less at the same time.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        There is a lot of noise on the net ;) You are seeing these blocked at the wan of pfsense right, your clients not going there?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        randombitsR 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @johnpoz
          last edited by bmeeks

          @johnpoz said in Odd IP's address in PI-hole with PFblocker (DoD for one 😱):

          Yeah pretty sure out of the box ntop will try and resolve all the traffic it sees. Snort might/could do the same sort of thing.

          Snort and Suricata behave the same as the pfSense firewall log view. They do not resolve a log entry unless the user clicks the little magnifying glass icon beside an IP on the ALERTS tab. So like the pfSense firewall log, manual user action is required for either of the IDS/IPS packages to perform a DNS lookup.

          Update: I need to clarify one point. The scheduled rules update check cron tasks connect to the rule vendors via URLs, so those tasks will, as part of the CURL connection process, perform DNS lookups to convert the URL into an IP address.

          1 Reply Last reply Reply Quote 0
          • randombitsR
            randombits @johnpoz
            last edited by

            @johnpoz your clients not going there?

            not as far as I know 🤞

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              @bmeeks
              Thanks for the clarification, I was not "sure" that is why made sure to say might/could ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              bmeeksB 1 Reply Last reply Reply Quote 1
              • bmeeksB
                bmeeks @johnpoz
                last edited by

                @johnpoz said in Odd IP's address in PI-hole with PFblocker (DoD for one 😱):

                @bmeeks
                Thanks for the clarification, I was not "sure" that is why made sure to say might/could ;)

                No problemo. Just verifying how the package behaves so folks know.

                1 Reply Last reply Reply Quote 0
                • randombitsR
                  randombits
                  last edited by

                  I'm 99% curtain it's ntopng as the IP's have stopped showing in pi-hole when ntopng is turned off.

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @randombits
                    last edited by bmeeks

                    @randombits said in Odd IP's address in PI-hole with PFblocker (DoD for one 😱):

                    I'm 99% curtain it's ntopng as the IP's have stopped showing in pi-hole when ntopng is turned off.

                    Packages like that try and do you a favor and turn the IP addresses they see into human-friendly domain names by doing reverse PTR lookups when writing the information to their logs. The DNS lookups are harmless unless you have a specific reason to want them turned off.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Most of the noise you would be seeing from the internet is not going to resolve anyway - so its pretty pointless to look for it.. None of the shit he posted resolves.. So what is the point of trying to, if 90% of its not even going to... Its wasted cycles and queries.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        I've never used ntopng, but if the DNS lookup thingy is not a configurable option, perhaps that is a feature the maintainer/developer might want to consider adding.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          pretty sure you can just turn off the resolving part.. I don't currently have it running - let me look

                          edit: yeah you can config it
                          dnsconfig.png

                          If it was default on his settings it should not have tried to resolve the public IPs, and only his local ones.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • randombitsR
                            randombits
                            last edited by randombits

                            Spoke too soon, I removed ntopng, snort, darkstat and avahi and I'm still getting the IP's in pi-hole. My thoughts are not to use pi-hole or what I'm doing is wrong in some way. Also nothing connected on the LAN side at all - laptop off.

                            I think the obvious answer is Pfblocker or some weird interaction with pi-hole. Why I think this, I turn on another laptop WIFI'd to the router (so it's on the WAN side of pfsense and pi-hole starts seeing these IP's.

                            I'll take pi-hole out of the loop and put 9.9.9.9 into pfsense in the system/general DNS

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.