Bypassing DNSBL for specific IPs
-
The OP's suggested config works for me. I melded it with Cloudflare's recent DNS-over-TLS commands as well to have a more robust configuration.
In case anyone's interested, here are my commands:
server: access-control-view: <excluded dnsbl="" subnet="">bypass access-control-view: <included dnsbl="" subnet="">dnsbl ssl-upstream: yes do-tcp: yes minimal-responses: yes prefetch: yes qname-minimisation: yes rrset-roundrobin: yes forward-zone: name: "." # Below 4 addresses are Cloudflare DNS forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf</included></excluded>
-
This method is just not working for me :( I am trying to block all except host 10.168.2.157, but as soon as I add the configuration to the DNS Resolver custom options, DNSBL stops working although it is still running without errors. I get no more DNSBL alerts and ads shows up on all my hosts.
Here is my DNS Resolver (unbound) custom options:
server: access-control-view: 10.168.2.157/32 bypass access-control-view: 10.168.0.0/16 dnsbl do-tcp: yes minimal-responses: yes prefetch: yes qname-minimisation: yes rrset-roundrobin: yes view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf
-
Revisiting this thread as I needed to exclude my Roku devices on my network as they need to reach ad sites for the news feeds to work. (sucks) Getting it to work has raised some questions that maybe others can chime in on and maybe my configuration / findings may help others.
I am using Cloudflares DNS over TLS hence the forward-zone configuration. In addition I run a Plex server at home and need to define the private-domain to allow internal resolution to a private IP address.
I have three Roku devices that use the "bypass" view
Everything else on my three network segments uses DNSBL to block ads.
I have native IPv6 and hence need to add access control as some hosts use IPv6 for DNS transport.
There are a number of host overrides configured to resolve private IP addresses and hidden hosts from the internal Intranet and not use the public IP addresses resolved by my external NS.
Example of my custom options: -server: private-domain: "plex.direct" access-control-view: 192.168.1.51/32 bypass access-control-view: 192.168.1.61/32 bypass access-control-view: 192.168.1.83/32 bypass access-control-view: 2601:abcd:abcd:abc0::/64 dnsbl access-control-view: 2601:abcd:abcd:abc1::/64 dnsbl access-control-view: 2601:abcd:abcd:abc2::/64 dnsbl access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.2.0/24 dnsbl access-control-view: 192.168.3.0/24 dnsbl rrset-roundrobin: yes forward-zone: name: "." forward-ssl-upstream: yes # Cloudflare DNS forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 forward-addr: 2606:4700:4700::1111@853 forward-addr: 2606:4700:4700::1001@853 view: name: "bypass" view-first: yes #include: /var/unbound/host_entries.conf view: name: "dnsbl" view-first: yes include: /var/unbound/host_entries.conf include: /var/unbound/pfb_dnsbl.*conf
What I have found is if I use a 192.168.0.0/22 mask (CIDR) for the IPv4 subnets it does not work, I instead had to define each subnet with /24. Maybe a /16 would have worked?
Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work.
The dnsbl view needed to have include: /var/unbound/host_entries.conf otherwise the host overrides did not resolve. For some reason however that was not required for the bypass view, which seems to operate quite happily without the include: hence it is commented out. Not what I expected.
I also, had a number of issues, that I did not continue confirming exactly the behavior, when trying to format for readability the custom options by indenting some lines using spaces. This caused it to fail. so no leading spaces on any line. :-)
unbound "view" is not very well documented, but does provide some potential for client specific workarounds that I've needed every now and then. Debug seems limited in the log files regarding matching of access-control-view and which view is being used. Maybe I had too much verbosity enabled and message were deep and I missed them?
With multiple hosts for testing and having dig/nslookup forced to use IPv4 or IPv6 I was able to finally reproduce what I believe is a working config. Albeit with some configuration options that I don't fully understand why they work how they do. Will see how it goes . . . .
If anyone can comment on the subnet masks and the include:
-
One topic I keep not seeing is what if you want to block X for all. But by pass Y for a few and still block X.
-
Hi.
Following this topic, we need to first create the ACL or u put the settings directly on the custom field?
Regards.
-
@periko Put the settings directly into a custom field, this is the only place the ACLs are defined.
Reference: https://jpmens.net/2016/12/20/unbound-supports-views-for-local-data/
My implementation using the information in this post: https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/
-
I had tested and works, in my layout, I got 2 networks:
-LAN
-VLANI setup my vlan not to use the dnsbl and works.
Thanks guys!!!
-
Hi,
I too have managed to get this working thanks to the above.
One question though, if I use DNSBL Category (shallalist) instead of DNSBL Feeds I've noticed that the bypass no longer works.
I'm guessing this is because the name 'dnsbl' isn't correct when using a category. Any ideas please on the correct syntax? or other cause?
server: access-control-view: 192.168.2.3/32 bypass access-control-view: 192.168.2.0/24 dnsbl access-control-view: 192.168.1.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes server:include: /var/unbound/pfb_dnsbl.*conf
Thanks
-
@yeleek Try removing the second 'server' from your options here. Your custom options should look like:
server: access-control-view: 192.168.2.3/32 bypass access-control-view: 192.168.2.0/24 dnsbl access-control-view: 192.168.1.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf
I've also noticed more problems with this when trying to set view 'bypass' for specific addresses inside of a subnet that is also a member of your 'dnsbl' view. I can't confirm whether this is actually an issue or just misconfiguration on my part, but I'd try the above and see if it works for you, even temporarily.
-
@kevinmitky That appears to be working for now. Thank you :)
-
@yeleek Please note, if you do an update, disable and re-enable DNSBL that line will be modified again back to the standard entry. You will need to check each time and remove any leading "server:" to ensure your expected behavior works as expected.
Just an FYI as it caught me out and is now part of my standard checks following any modifications to the configuration of my pfSense
@ kevinmitky I am doing exactly what you described. I have my dnsbl view as the subnets and am specifying specific hosts on those subnets to bypass. These are Roku's devices that had news feeds that used block sites and I made a choice to allow it access for the convenience. Ensuring the host specific acl was before the subnet based ones was something I just do based on my background, but if you don't have it in that order, maybe that's an area to check. That and having to clear any host DNS caches made this a little more time consuming to test if I screwed up the config on pfSense :-)
-
Current syntax under Services > DNS Resolver > Custom Options with Pfblockerng enabled is:
private-domain: "plex.direct"
server:include: /var/unbound/pfb_dnsbl.conf**I have a multiple devices I want to bypass dnsbl (192.168.1.50, 192.168.1.51, 192.168.1.52) but everything else on 192.168.1.0/24 I want running through dnsbl so as I understand it I should just copy and paste the following into the custom options field of the DNS resolver for this:
*server: private-domain: "plex.direct" access-control-view: 192.168.1.50/32 bypass access-control-view: 192.168.1.51/32 bypass access-control-view: 192.168.1.52/32 bypass access-control-view: 192.168.1.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf
-
@TupleButter Basically yes. although in your samples you have some "*" in places I don't expect. i.e. *server:
In my active config the last line is: -
[Edited] My original was incorrect as it was changed following an update. You will need to keep checking this line if there are any changes, as it gets auto added with server: prefixing it.include: /var/unbound/pfb_dnsbl.*conf
TBH its been a while since I set this up, so not sure if you need to repeat the server: tag again.
As a note, if you ever enable blocking of banned or emerging hosts you will need to include that config file in each view
My custom options currently are: -
server: so-reuseport: no private-domain: "plex.direct" # bypass view for Roku IP addresses access-control-view: 192.168.1.51/32 bypass access-control-view: 192.168.1.61/32 bypass access-control-view: 192.168.1.83/32 bypass access-control-view: 2601:xxxx:xxxx:xxxx::/64 dnsbl access-control-view: 2601:xxxx:xxxx:xxxx::/64 dnsbl access-control-view: 2601:xxxx:xxxx:xxxx::/64 dnsbl access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.2.0/24 dnsbl access-control-view: 192.168.3.0/24 dnsbl view: name: "bypass" view-first: yes include: /var/unbound/host_entries.conf view: name: "dnsbl" view-first: yes include: /var/unbound/host_entries.conf # local-zone: "youtube.com" inform_deny # local-zone: "facebook.com" inform_deny include: /var/unbound/pfb_dnsbl.*conf
This ensures plex works, unbound is multithreaded, includes my IPv6 subnets (obscured in example) provide bypass for selected hosts (in this case only Roku and they are IPv4 only), denies access to banned or emerging hosts.
The two commented out local-zone's are my sledge hammer approach to blocking social media for some of the younger members in the house when they get grounded! They are not currently grounded :-) -
I have followed the above and put this in my unbound custom options and it doesnt block the ads
server:
private-domain: "plex.direct"
access-control-view: 10.10.0.0/24 bypass
access-control-view: 10.0.0.0/24 dnsbl
access-control-view: 10.0.8.0/24 dnsbl
view:
name: "bypass"
view-first: yes
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/pfb_dnsbl.*confif i get rid of everything and put it back to what it was before which was the below then i get adblocking but of course it happens on every network. I just want adblocking on my guest network and openvpn network for now
server:
private-domain: "plex.direct"
server:include: /var/unbound/pfb_dnsbl.*confMay someone help please?
-
@ryk48 said in Bypassing DNSBL for specific IPs:
rivate-domain: "plex.direct"
server:include: /var/unbound/pfb_dnsbl.*coRemove the server: from this line.
server:include: /var/unbound/pfb_dnsbl.*confIt should be like this: include: /var/unbound/pfb_dnsbl.*conf
Note that every time you perform a change in pfblocker, you will have to remove the "server:" from unbound custom options.
-
@mcury
Right.. Its what i did above and what my current config is. What i mentioned is what i had before i made the changes which was the config below without all access control stuff.I think my problem might be because im running an active directory domain and all my computers are set to use a windows dns server which forwards to pfsense to do dns over tls so im thinking no matter what network i put in the access control view it will be blocked if i do dnsbl on that network since pretty much everything has its dns set to my windows dns server, except the guest lan.
For example:
My windows dns server is on 10.10.0.0/24 network
my windows pcs are on 10.0.0.0/24
opendns computers are on 10.0.8.0/24
guest is on 192.168.10.0/24my windows pcs have their dns server set to the dns server on the 10.10 network so i think if i dnsbl on the 10.0.0.0/24 network its not working because windows computers dns are pointed to the dns server on the 10.10.0.0/24 network which wouldnt be dnsbl. Also i think id have the same problem on my opendns network as well since its dns servers also point to my windows dns server so i can rdp into network pcs. If i am wrong in how this works please chime in. Sounds like i might need dns servers for each network?
Ideally i just want to do dnsbl on my guest and opendns networks because i want guests to have adblock. I also want to connect to my openvpn server from my phone and browse the net on my phone with no ads and in addition have the ability to rdp into my pcs and servers but how can i achieve that when the opendns network dns points to the windows server network?
-
@ryk48 I have been looking for a pfsense solution to this for awhile. It seems the Unbound views might accomplish what I need as well, but what a pain in the ass to setup and manage. I have been investigating the Sensei plugin for Opnsense. It looks sooooo amazing and does exactly what you are asking about with ease. Policy based filtering! I just really like pfsense and didn’t want to have to reinstall my home router for one feature, but I am not seeing another option. Was hoping Sensei would be migrated to pfsense :P!
We’re you able to get this setup using unbound in pfsense?
-
@kezzla I was not. I figured since im having all of my devices on my network point to my AD DNS Server this wouldnt work. Guest lan would probably work but since i want to rdp from my phone and also block ads on my phone while connected to vpn to home this wouldnt work without affecting all pcs that use my ad dns servers.
-
Just found this thread and I think it might save my a$$ while stuck at home because of the covid19 pandemic... If I'm hijacking an existing thread, I'll move to a new one.
Basically I want all traffic on a specific VLAN (named DMZ with 192.168.2.0/24) totally bypass pfblocker & DNSBL in both directions (incoming and outgoing)... Based on OP's post, I added the following in unbound's custom options:
server: access-control-view: 192.168.2.0/24 bypass access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.3.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf
For some reasons, even after restarting unbound, DNSBL and even rebooting pfsense, I still see tons of alerts in the Reports tab of pfblocker. Using a machine on VLAN, pages are still being blocked. Clearly this is not working for me. What am I doing wrong?
Some of my settings (if it helps):
- WAN is WAN... LAN1, LAN2 and DMZ are VLAN's based on LAN physical interface
- WAN is the only interface selected in pfblockerNG's Inbound Firewall Rules
- LAN1 & LAN2 are the only interfaces selected in pfblockerNG's Outbound Firewall Rules
- LAN1 & LAN2 are the only interfaces selected in DNSBL's "Permit Firewall Rules"
-
I did a quick check on my pfSense version 2.4.5-RELEASE and pfBlockerNG 2.1.4_22 and checked I can bypass a single hosts (/32) and also changed my LAN subnet to bypass (/24) and all worked as expected.
On my setup however I do have to make sure my test PC has IPv6 disabled for DNS so it correctly matched the unbound views.
Clutching at straws, my config is not nicely indented like yours, as you will see from my original reply earlier in this thread, that did seem to cause me problems, but did not spend much time verifying it as I just removed all leading spaces and it mainly worked as expected after that.
-
This is really strange....
- If I remove the leading spaces, I cannot save the config
The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: [1586258288] unbound-checkconf[11766:0] error: local-data in redirect zone must reside at top of zone, not at zz.zeroredirect1.com 60 IN A 10.10.10.1 [1586258288] unbound-checkconf[11766:0] fatal error: Could not set up views
- I had removed the leading "server:" in front of the last line to look like this:
include: /var/unbound/pfb_dnsbl.*conf
But every time I login to pfsense and try to modify the unbound settings, it is back to this:
server:include: /var/unbound/pfb_dnsbl.*conf
Is the package pfblockerNG doing this???
-
@pftdm007 said in Bypassing DNSBL for specific IPs:
Is the package pfblockerNG doing this???
Yep.
You know now how pfBlockerNG-devel communicates the list with IPs to be blocked to unbound ^^Before you install, the custom options box (unbound) is empty :
When you dissable pfBlockerNG-debel, and re activate it :
it will add this line to the custom options (unbound) :
The first time you installed pfBockerng-devel, there was even a first comment line :
-
Okayyyy... but...? That doesnt explain why the custom options with views dont work (and dont work if I remove the leading spaces), and how to prevent pfblockerNG from adding the redundant "server:" statement in front of the line....
Others in this thread have successfully used views while using pfblockerNG so there's something I am doing wrong...
-
Which version of pfBlockerNG is installed?
Although I did upgrade mine last night to -deval 2.2.5_30 and quickly ran the same test and it still works fine.Note: upgrading, installing, disabling / enabling etc. will always add the "server:" prefix to the include line. I just have a note to always check and remove it. Am not aware of any workaround.
Based on your error there is another thread from 2016
DNS Resolver cannot be modified or changedSeems to be something regarding the System Domain Local Zone type setting. Mine is Transparent which seems to be OK and allows me to save the config and views do work. If its not this, there must be something else, so will need a little more info on your setup and config.
i.e. Do you have IPv6 configured? That will change a number of things that need additional configuration.
-
@pftdm007 said in Bypassing DNSBL for specific IPs:
and how to prevent pfblockerNG from adding the redundant "server:" statement in front of the line....
Well ...
Have a keyboard ?
Here it is :/usr/local/pkg/pfblockerng/pfblockerng.inc line 1289
$unbound_include = "server:include: {$pfb['dnsbl_file']}.*conf";
Take note : this line is still added at the end of the unbound config file. No analyses is done for Custom options already present.
When pfBlockerng installs, or when you re-enable DNSBL mode, that line is added. -
@Gertjan
Nice!Keyboards still rule!, As "Alexa, please make change to pfSense /usr/local . . . . @ line 1289" just isn't going to hack it anytime soon :-)
-
I really wouldn't ask Alexa to do this ......
Anyway, I tried it myself.Disabled :
and forced a Update > Reload >All.
My Unbound > Custom options box is now empty.
I added a single (needed !) line :I edited the file mentioned above.
And activated DNSBL in pfBlokcerNG again :The result :
$unbound_include = "# With some comments\n# while I was here.\n include: {$pfb['dnsbl_file']}.*conf";
-
@horse2370 : pfBlockerNG-devel v2.2.5_30 is installed on my system. Seems to be the latest one. Also the thread you referred me to, seems to be a bug in Unbound or its implementation in pfsense? Still unfixed? The thread ends up dead with no answer.
If "upgrading, installing, disabling / enabling etc." will always put the "server:" statement back in unbound's custom options, then to me, pfBlockerNG's devs never intended their package to work with Unbound views. This is highly confirmed by @Gertjan's workaround to manually edit "/usr/local/pkg/pfblockerng/pfblockerng.inc"...
IMO, and this is only personal opinion, we should never have to fiddle with internal files like this way, even if it works. Especially on production systems. Will this file be overwritten once pfblockerNG is updated?
At least now I start to have a better picture on how these components interact with each others....
-
Just saw the last line of your post... No, I do not use IPV6 at all. Pretty much everything else is stock, with the exception of pfblockerNG and Snort. I also use VLAN's. Could you specify which setting you need more specifically? I will be glad to provide!
EDIT: some Unbound settings
Port 53
Enable SSL/TLS: Unchecked
SSL/TLS Cert: stock setting
Network ifaces: VLANs (see my initial post on this thread for details)
Outgoing ifaces: WAN
System Domain Local Zone Type: Transparent
DNSSEC: Checked
Python Module: Unchecked
DNS query FW: Unchecked
DHCP Registrations: Checked
Static DHCP: Checked
OpenVPN : Unchecked
Custom Options: (see my initial post on this thread for details) -
@pftdm007 said in Bypassing DNSBL for specific IPs:
Will this file be overwritten once pfblockerNG is updated?
It's part of the package - so a re install or upgrade will undo changes.
Or, before editing, make a copy of it.@pftdm007 said in Bypassing DNSBL for specific IPs:
pfBlockerNG's devs never intended their package to work with Unbound views.
It's just a way to have unbound to include a file with IP's - the scope is just 'server' (unbound dns) wide.
Btw : in my case, this file is empty, I'm not using DNSBL part of pfBlockerNG-devel - so it'a a no-op for me.
I could even wipe this line in the custom options.
( but shouldn't be surprised the DNDBL functionality wouldn't work anymore ) -
Does the order in which you put the networks in the custom configs make any difference? Like would
access-control-view: 192.168.2.0/24 bypass access-control-view: 192.168.1.0/24 dnsbl
be any different than
access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.2.0/24 bypass
?
My custom configs were working fine but something broke so I'm trying to nail down what it might be.
-
@pftdm007 Have you managed to save the config with the advanced options? Like remove everything and save, does that work? Just add the server: Include . . . line?
Then the views without the leading spaces?From the configuration provided, it looks very similar to mine, only real difference is I have forwarding enabled as I used SSL/TLS to my Internet DNS servers, but I had views working long before that and even before that config had to also be in custom options.
@denx I'm no expert, but based on my networking background, I don't why that would make any difference.
Best practice is general is always to have more specific matches first, but in your case they are both /24's -
@horse2370 Thanks! After messing around a bit, I discovered that the order in which you put the networks/hosts makes no difference. The culprit for my problems was, indeed, the "server" prefix in the last line. Deleting it solved the issue.
-
@denx Great - as for the server: unless you want to make the modification posted by Gertjan, keep checking if make any changes to pfBlocker as it will come back.
I have a note on in my "Change Log Documents" to verify so it doesn't bite me.To help out pfdm007, do you have leading spaces in your Custom Options?
TIA
-
Finally got to do some testing....
@horse2370 : Yes if I remove evething in Unbound's custom options box, it saves. I also managed to find a workaround:
- Shutdown DNSBL/pfblockerNG, it will remove its line in Unbound's options
- Keep everything else in Unbound's options
- Remove the leading spaces
- Save (no problems!)
- Start DNSBL, it puts back its line in Unbound's options
- Remove the "server:"
- Save the options
Now I need to check if the bypassing works, but at least I got past the saving issues....
-
After all, it seems it is working now. In retrospect, I think there are still some bugs and things to iron out, and DNSBL's devs should definitely support unbound views, but at least it all works at this moment. Big thanks to you guys!
-
I'm sure this is obvious and likely just not the way you want to go, but another solution is to create a separate interface (vlan) for certain hosts and exclude this interface from using unbound (and pfBlockerNG/DNSBL) altogether. Then just allow hosts on this interface/vlan to access "respectable" external DNS servers. I did this for a gaming PC so that I didn't have to compromise my tight pfBlockerNG/DNSBL config for the sake of a single computer that wanted to talk to the world.
-
While this solution may work for some, I would prefer to still have some blocking on the additional vlan. I just really wanted the ability to have policy based blocking like the Sensei plugin offers for Opnsense. I'm currently trying it out with the $9.99 home plan, and so far it has been working as expected. It was so easy to set up as well, it just sucks having to pay 10/month :P lol Really would prefer to go back to pfsense. My goal was to find basic ad blocking on some (adult) pc's, and much stricter blocking for my kids pc's and guest devices.
I could have used other options, like pi-hole or opendns for the kids, but I want it to all go through my router and not depend on other services. Thanks for all the input so far!
-
@mdngi said in Bypassing DNSBL for specific IPs:
I'm sure this is obvious and likely just not the way you want to go, but another solution is to create a separate interface (vlan) for certain hosts and exclude this interface from using unbound (and pfBlockerNG/DNSBL) altogether
That's exactly what I wanted to do since day 1. Read my original post on this thread:
Basically I want all traffic on a specific VLAN (named DMZ with 192.168.2.0/24) totally bypass pfblocker & DNSBL in both directions (incoming and outgoing)...
Does it mean that there is a simpler/more permanent way of doing this? You need to detail how because AFAIK, all interfaces have their traffic go through the same DNS resolver (Unbound) and the distinction between filtered or not is done at the resolver level via the line :
include: /var/unbound/pfb_dnsbl.*conf
-
It's basically 4 things.
1). Configure unbound to not listen / respond to queries from clients on the excluded interface ("Network Interface" on the general tab of the DNS Resolver settings)
2). Don't configure any NAT / Port Forwarding for DNS on that interface (i.e. don't force DNS through pfSense like you probably would for the other interfaces)
3). Configure your DHCP settings for that interface with the DNS server(s) you want to use on the hosts for this zone (eg. Google, OpenDNS, etc) OR set the DNS server manually on the host.
4). Create the necessary FW rules for that interface to allow DNS out to the open internet / to the DNS servers you specified in #3.