Issues using DNSBL and IP to block domains

bmeeks

@NollipfSense said in Issues using DNSBL and IP to block domains:

IP address of domains is constantly changing...

Yeah, but doesn't pfBlocker periodically update its lists? Nothing will keep up if the IPs change like every few minutes, but if it is days, then perhaps pfBlocker daily list updates can keep up ?? pfBlocker would update the IPs in the alias from the list.

Another possibility is using a URL alias table and loading an updated list from a URL periodically. This would require more work on the part of the admin to manually create an update process.

NollipfSense

@bmeeks said in Issues using DNSBL and IP to block domains:

This would require more work on the part of the admin to manually create an update process.

That's why I mentioned the changing IP. I am learning more and more that network administration even for small home network is a bit* h.

bmeeks

@NollipfSense said in Issues using DNSBL and IP to block domains:

That's why I mentioned the changing IP. I am learning more and more that network administration even for small home network is a bit* h.

I believe the OP is asking about this for his home network. Blocking DoT or DoH in a home network is not really something I would concern myself with. If you have an army of IoT devices, then maybe segregate them on a restricted VLAN by themselves. Some of them are useless without Internet connectivity, though, so you probably need to let them have Internet access even if on a restricted VLAN.

You can very quickly get "too complicated" in a home network if you try to solve or plan for every cyber security potential issue. You can find yourself with a highly secure network that is, for all intents and purposes, non-functional in terms of what you built it for. In other words, most of the stuff you want to access no longer works as it should ... .

Just take reasonable precautions, keep your software updated with security fixes and live a normal peaceful life with a happy wife! Remember, if your wife can't reliably get to Netflix, Amazon Prime Video and Pinterest over the home network, then your life as a network admin will suck! ...

NollipfSense

@bmeeks said in Issues using DNSBL and IP to block domains:

You can very quickly get "too complicated" in a home network if you try to solve or plan for every cyber security potential issue. You can find yourself with a highly secure network that is, for all intents and purposes, non-functional in terms of what you built it for. In other words, most of the stuff you want to access no longer works as it should ... .
Just take reasonable precautions, keep your software updated with security fixes and live a normal peaceful life with a happy wife! Remember, if your wife can't reliably get to Netflix, Amazon Prime Video and Pinterest over the home network, then your life as a network admin will suck! ...

Had to laugh aloud, I recently added Shodan and DOH, lots of sites got broken and still working on Skype as that's how household communicates with other distant family members.

Risfold

I definitely am the type to over complicate my home network. Mostly for fun . Yes pfblocker can use aliases and that is what it uses when a feed is created. My issue is that I currently have a list of domains that pfblocker will fetch the IPs for. And I want those IPs blocked on specific ports. However when pfblocker returns the IPs it only lists the VIP used for DNSBL because they are listed there as well. Do you have any thoughts on how to have pfblocker retreive these IPs?

Risfold

I have been thinking disabling DNS resolver responding on the local host might work, but I'm not sure if that will work or what else it will effect.

Risfold

@Risfold said in Issues using DNSBL and IP to block domains:

I have been thinking disabling DNS resolver responding on the local host might work, but I'm not sure if that will work or what else it will effect.

Well that didn't work. Got the error below. Plus then my resolver wouldn't use the DoH I have setup.

Risfold

@BBcan177 Do you have any suggestions? I would very much appreciate any help you can offer.

bmeeks

You will need the resolver for DNSBL to work. I am not familiar with the internal details of how pfBlockerNG works. The developer and I have exchanged ideas in the past, but I mostly concentrate on the IDS/IPS packages (Snort and Suricata).

Risfold

@bmeeks said in Issues using DNSBL and IP to block domains:

You will need the resolver for DNSBL to work. I am not familiar with the internal details of how pfBlockerNG works. The developer and I have exchanged ideas in the past, but I mostly concentrate on the IDS/IPS packages (Snort and Suricata).

Thanks for your contributions to pfsense! I actually am upgrading to beefier pfsense hardware soon and I plan on looking into those. I am currently on an APU board and from what I hear that doesn't quite cut it for those.

BBcan177

Some more info here:
https://www.reddit.com/r/pfBlockerNG/comments/d3p1gf/doh_server_blocklist/

Risfold

@BBcan177 said in Issues using DNSBL and IP to block domains:

Some more info here:
https://www.reddit.com/r/pfBlockerNG/comments/d3p1gf/doh_server_blocklist/

Hi BBcan177 Thanks for the reply. This post is where I got my domain list from. My issue is that I would like to use the DNSBL and block the IP of these addresses. However when the whois lookup occurs during the IP cron, pfblocker only returns the pfblocker VIP because the same list of domains are in the DNSBL.

Can the whois lookup for an IP blocklist occur ignoring the DNSBL?

Risfold

I hoped my explanations above were clear enough but in case not I have added the screenshots below. I appreciate the help with this issue!

Domain list on DNSBL:

IP block list:
ipv4 blocklist.png

List of IPs from block list showing pfblocker VIP only since domains are listed on DNSBL already:
ip list.png

BBcan177

That Heuristics feed is for DNSBL only. Its not an IP list, so it can't be used in the IP tab.
What is your IP Placeholder IP? Is it 10.10.10.1? That could interfere with DNSBL depending what you selected for the DNSBL VIP address.

Risfold

I have the feed for Heuristics list in whois format so pfblocker should resolve these, no? That is the issue I'm referring to. When pfblocker uses dns resolver to resolve the list of domains for IP blocking, it uses itself (DNSBL) and only resolves the DNSBL IP (10.10.10.1) for each domain.

The IP placeholder and DNSBL IP are default:

BBcan177

@Risfold
Dont think that duality is possible.

Risfold

@BBcan177
I see. I was hoping there would be a way that I was just ignorant of. Thank you for taking the time to review this.

If anyone else has a suggestion beyond manually resolving these domains externally and manually updating the lists, please let us know!