Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get DNSBL to work

    Scheduled Pinned Locked Moved pfBlockerNG
    dnsblunboundpfblockerng
    6 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteelCityColt
      last edited by SteelCityColt

      Hi,

      Recently swapped out my hardware and decided to build from a fresh install rather than load in my old config. Had PFBlockerNG set up fine before and was working, can't seem to get it to work this time. My DNSBL is stuck showing as out of sync. I've tried stopping Unbound and running a force update but no joy.

      I think the culprit is SBL_ADS as I get "[ SBL_ADs ] Downloading update .. CF 522 Connection Timed Out" when trying to force update. In particular squidblocker seems to be the issue, I put this entry to OFF and reran the force update, but I still get the yellow exclamation mark for out of sync and Ads are not being blocked. I can't ping squidblacklist.

      Driving me slightly mad as was working perfectly before!

      J 1 Reply Last reply Reply Quote 0
      • J
        jdeloach @SteelCityColt
        last edited by jdeloach

        @SteelCityColt said in Can't get DNSBL to work:

        Hi,

        Recently swapped out my hardware and decided to build from a fresh install rather than load in my old config. Had PFBlockerNG set up fine before and was working, can't seem to get it to work this time. My DNSBL is stuck showing as out of sync. I've tried stopping Unbound and running a force update but no joy.

        I think the culprit is SBL_ADS as I get "[ SBL_ADs ] Downloading update .. CF 522 Connection Timed Out" when trying to force update. In particular squidblocker seems to be the issue, I put this entry to OFF and reran the force update, but I still get the yellow exclamation mark for out of sync and Ads are not being blocked. I can't ping squidblacklist.

        Driving me slightly mad as was working perfectly before!

        The SBL_ADS list is down. It have been for several days now. For the time being, just set it to OFF.

        Have you signed up for a Maxmind license and have you entered your license number in the correct location?

        If so, then run the following from a command prompt and it should sync up the DNSBL lists: "php /usr/local/www/pfblockerng/pfblockerng.php dc", copy and paste without the quotes.

        1 Reply Last reply Reply Quote 0
        • S
          SteelCityColt
          last edited by

          Thanks for your reply.

          Yes had a Maxmind license from before, regenerated and placed key into PFBlocker settings as before. I ran the suggested commanded from the command prompt but still no dice.

          Having removed SBL-ADS, this is now what I get when I run a force update:

          UPDATE PROCESS START [ 02/15/20 14:22:45 ]

          ===[ DNSBL Process ]================================================

          Loading DNSBL Statistics... completed
          Loading DNSBL Whitelist... completed

          [ EasyList ] exists.
          [ EasyPrivacy ] exists.
          [ Adaway ] exists.
          [ Cameleon ] exists.
          [ D_Me_ADs ] exists.
          [ D_Me_Tracking ] exists.
          [ hpHosts_ATS ] exists.
          [ Yoyo ] exists.
          [ Abuse_DOMBL ] exists.
          [ Abuse_URLBL ] exists.
          [ BBC_DC2 ] exists.
          [ SWC ] exists.
          [ D_Me_Malv ] exists.
          [ D_Me_Malw ] exists.
          [ ISC_SDH ] exists.
          [ MDS ] exists.
          [ MDS_Immortal ] exists.
          [ MDL ] exists.
          [ MVPS ] exists.
          [ Spam404 ] exists.
          [ SFS_Toxic_BD ] exists.
          [ AntiSocial_BD ] exists.
          Saving DNSBL database... completed

          ===[ GeoIP Process ]============================================

          ===[ IPv4 Process ]=================================================

          [ Abuse_Feodo_C2_v4 ] exists.
          [ Abuse_IPBL_v4 ] exists.
          [ Abuse_SSLBL_v4 ] exists.
          [ BBC_C2_v4 ] exists.
          [ CINS_army_v4 ] exists.
          [ ET_Block_v4 ] exists.
          [ ET_Comp_v4 ] exists.
          [ ISC_1000_30_v4 ] exists.
          [ ISC_Block_v4 ] exists.
          [ Spamhaus_Drop_v4 ] exists.
          [ Spamhaus_eDrop_v4 ] exists.
          [ Talos_BL_v4 ] exists.

          ===[ Aliastables / Rules ]==========================================

          No changes to Firewall rules, skipping Filter Reload
          No Changes to Aliases, Skipping pfctl Update

          UPDATE PROCESS ENDED

          1 Reply Last reply Reply Quote 0
          • RonpfSR
            RonpfS
            last edited by RonpfS

            After a Force Update, I always run a Force Reload DNSBL or Force Reload ALL to make sure all changes are processed. 😉

            2.4.5-RELEASE-p1 (amd64)
            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

            1 Reply Last reply Reply Quote 0
            • S
              SteelCityColt
              last edited by

              Ah ha, when I do a force reload:

              Assembling DNSBL database... completed [ 02/16/20 08:17:20 ]
              Reloading Unbound Resolver..
              DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***
              error: SSL handshake failed
              34391444536:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-244/pfSense/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:.... Not completed. [ 02/16/20 08:17:21 ]

              *** DNSBL update [ 0 ] [ 171631 ] ... OUT OF SYNC ! ***

              1 Reply Last reply Reply Quote 0
              • S
                SteelCityColt
                last edited by

                Solved it guys, did some googling on that SSL error and found another post here:

                In
                /var/unbound

                Delete
                dnsbl_cert.pem
                unbound_control.key
                unbound_control.pem
                unbound_server.key
                unbound_server.pem

                Reboot and run force update/reload.

                DNSBL now up and running. Thanks for the help in diagnosing guys.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.