pfBlockerNG DNSBL Categories not working

Gertjan

@jayb1 said in pfBlockerNG DNSBL Categories not working:

I just can't seem to get this to work.

Can you show us what fails ?

I selected some of them : Shallalist_aggressive, Shallalist_anonvpn, Shallalist_drugs and Shallalist_violence, just for testing purposes.
Seems to work :

During a forced update :

UPDATE PROCESS START [ 06/02/20 07:36:48 ]

===[  DNSBL Process  ]================================================

Loading DNSBL Statistics... completed
Loading DNSBL SafeSearch...  enabled
Loading DNSBL Whitelist... completed
Loading TOP1M Whitelist... completed

[ Shallalist_adv ]		 Reload . completed ..
 Whitelist: doubleclick.net|googleadservices.com|
 ----------------------------------------------------------------------
 Orig.    Unique     # Dups     # White    # TOP1M    Final                
 ----------------------------------------------------------------------
 9929     9929       0          2          0          9927                 
 ----------------------------------------------------------------------

[ Shallalist_aggressive ]	 Downloading update [ 06/02/20 07:36:49 ] ..
 ----------------------------------------------------------------------
 Orig.    Unique     # Dups     # White    # TOP1M    Final                
 ----------------------------------------------------------------------
 303      303        1          0          0          302                  
 ----------------------------------------------------------------------

[ Shallalist_anonvpn ]		 Downloading update ..
 ----------------------------------------------------------------------
 Orig.    Unique     # Dups     # White    # TOP1M    Final                
 ----------------------------------------------------------------------
 390      390        0          0          0          390                  
 ----------------------------------------------------------------------

[ Shallalist_drugs ]		 Downloading update ..
 ----------------------------------------------------------------------
 Orig.    Unique     # Dups     # White    # TOP1M    Final                
 ----------------------------------------------------------------------
 11015    11015      3          0          0          11012                
 ----------------------------------------------------------------------

[ Shallalist_spyware ]		 Reload [ 06/02/20 07:36:50 ] . completed ..
 ----------------------------------------------------------------------
 Orig.    Unique     # Dups     # White    # TOP1M    Final                
 ----------------------------------------------------------------------
 19593    19593      321        0          0          19272                
 ----------------------------------------------------------------------

[ Shallalist_violence ]		 Downloading update [ 06/02/20 07:36:51 ] ..
 ----------------------------------------------------------------------
 Orig.    Unique     # Dups     # White    # TOP1M    Final                
 ----------------------------------------------------------------------
 179      179        9          0          0          170                  
 ----------------------------------------------------------------------
........

........

====================[ DNSBL Last Updated List Summary ]==============

Oct 22	2019	MDS_Immortal
Dec 16	18:34	MalC0de
Jan 22	13:15	MDL
Jan 25	00:00	MoneroMiner
Jan 25	00:00	NoCoin
Jan 25	00:00	Zeus
Feb 1	18:42	CoinBlocker_Opt
Feb 1	18:42	CoinBlocker_All
Feb 7	00:00	dShield_SD
Apr 10	07:41	Abuse_DOMBL
Apr 10	07:41	Abuse_URLBL
Apr 10	07:42	Spam404
May 3	07:19	MVPS
May 11	10:50	AntiSocial_BD
May 19	04:16	MDS
May 23	04:34	SWC
May 26	00:06	OISD
May 31	06:00	Shallalist_adv
May 31	06:00	Shallalist_spyware
May 31	06:42	ISC_SDH
May 31	23:00	SFS_Toxic_BD
May 31	23:17	BBC_DC2
May 31	23:21	D_Me_Malw
May 31	23:21	D_Me_Malv
Jun 2	07:36	Shallalist_aggressive
Jun 2	07:36	Shallalist_anonvpn
Jun 2	07:36	Shallalist_drugs
Jun 2	07:36	Shallalist_violence
===============================================================

Database Sanity check [  PASSED  ]
------------------------
Masterfile/Deny folder uniq check
Deny folder/Masterfile uniq check

Sync check (Pass=No IPs reported)
----------

Alias table IP Counts
-----------------------------
  32644 total
  24897 /var/db/aliastables/pfB_Top_v4.txt
   2584 /var/db/aliastables/pfB_Top_v6.txt
   2274 /var/db/aliastables/pfB_PRI5_v4.txt
   1778 /var/db/aliastables/pfB_BlockListDE_v4.txt
   1098 /var/db/aliastables/pfB_PRI1_v4.txt
     13 /var/db/aliastables/pfB_Internic_4_v4.txt

pfSense Table Stats
-------------------
table-entries hard limit  4000000
Table Usage Count         145748

UPDATE PROCESS ENDED [ 06/02/20 07:38:03 ]

jayb1

Hi,

This is what is shown with a forced update.

 UPDATE PROCESS START [ 06/02/20 16:52:21 ]

===[  DNSBL Process  ]================================================

 Loading DNSBL Statistics... completed
 Loading DNSBL SafeSearch...  disabled
 Loading DNSBL Whitelist... completed

Clearing all DNSBL Feeds completed
TLD:
TLD analysis no changes

Saving DNSBL database... completed
Reloading Unbound Resolver..... completed [ 06/02/20 16:52:27 ]
DNSBL update [ 0 | PASSED  ]... completed
------------------------------------------------------------------------

===[  GeoIP Process  ]============================================


===[  IPv4 Process  ]=================================================

[ Abuse_Feodo_C2_v4 ]		 exists.
[ Abuse_IPBL_v4 ]		 exists.
[ Abuse_SSLBL_v4 ]		 exists.
[ BBC_C2_v4 ]			 exists.
[ CINS_army_v4 ]		 exists.
[ ET_Block_v4 ]			 exists.
[ ET_Comp_v4 ]			 exists.
[ ISC_1000_30_v4 ]		 exists.
[ ISC_Block_v4 ]		 exists.
[ Spamhaus_Drop_v4 ]		 exists.
[ Spamhaus_eDrop_v4 ]		 exists.
[ Talos_BL_v4 ]			 exists.

===[  Aliastables / Rules  ]==========================================

No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

 UPDATE PROCESS ENDED

It doesn't mention Shallalist.

Gertjan

Your pfBLockerNG version is ?

jayb1

@Gertjan thanks for the help. It's pfBlockerNG-devel 2.2.5_32.

Gertjan

That's the lastest one, like mine.

You do have 'checked' some lists ?

jayb1

@Gertjan Hi, yes I do. For example "porn" but then obvious porn sites are not blocked.

jayb1

Any body have any other ideas?

RonpfS

@jayb1 said in pfBlockerNG DNSBL Categories not working:

telist... complet

You should post in the pfblockerNG Forum subsection.

So you ran a Force Update. Did you run a Force Reload DNSBL ?

Do you have DNSBL enabled? If not, enabled it, than run a Force Update and a Force Reload DNSBL. Inspect the logs.

Do you have any other DNSBL groups enabled? Enable at least one group, Force Update/Reload DNSBL, inspect the logs.

Gertjan

@RonpfS For DNSBL to be enabled, it should be enabled. Sounds stupid, but very true.

Btw : I selected this 'porn' thing, and saw this at the top of the page, after validating :

what this means is that the list is typically huge.
"tld" condition apply : like this one eats Gigabytes of memory. If memory starts to fail, the rest of the list will get ignored.

edit : the porn list contains 730 000 entries - it's huge.

[ Shallalist_porn ]		 Downloading update [ 06/03/20 07:29:29 ] .
  IDN converted: [ sendesık.com ]	 [ xn--sendesk-wfb.com ].
  ----------------------------------------------------------------------
  Orig.    Unique     # Dups     # White    # TOP1M    Final                
  ----------------------------------------------------------------------
  727947   727947     449        0          0          727498               
  ----------------------------------------------------------------------

Because my pfSEnse only contains 2 Gbytes of memory,I had this message :

TLD analysis..xxxxxxx completed [ 06/03/20 07:32:18 ]

  ** TLD Domain count exceeded. [ 150000 ] All subsequent Domains listed as-is **

TLD finalize......................

as explained. For this list you'll be needing something like 4 GBytes or even more.

When everything works, you would be able to :

@jayb1 said in pfBlockerNG DNSBL Categories not working:

For example "porn" but then obvious porn sites are not blocked.

Always keep in mind that pfBlockerNG has no brains ^^
It just download for you a list that should represent sites of a certain kind. IP addresses keep changing all the time. Especially if they contain a lot of arguable content (and a lot of publicity). The people that created the list are doing this manually, as AI can't classify the entire Internet. So, false hits always exist.

jayb1

@RonpfS Sorry, did realise there was a pfBlockerNG forum section. Happy for a mod to shift it.

Yes, I've run multiple forced updates and reloaded DNSBL.

DBNSL is enabled.

The logs show no errors. Just the usual from the forced update.

 UPDATE PROCESS START [ 06/03/20 16:17:34 ]

===[  DNSBL Process  ]================================================

 Loading DNSBL Statistics... completed
 Loading DNSBL SafeSearch...  disabled
 Loading DNSBL Whitelist... completed

Clearing all DNSBL Feeds completed
TLD:
TLD analysis no changes

Saving DNSBL database... completed
Reloading Unbound Resolver..... completed [ 06/03/20 16:17:40 ]
DNSBL update [ 0 | PASSED  ]... completed
------------------------------------------------------------------------

===[  GeoIP Process  ]============================================


===[  IPv4 Process  ]=================================================

[ Abuse_Feodo_C2_v4 ]		 exists.
[ Abuse_IPBL_v4 ]		 exists.
[ Abuse_SSLBL_v4 ]		 exists.
[ BBC_C2_v4 ]			 exists.
[ CINS_army_v4 ]		 exists.
[ ET_Block_v4 ]			 exists.
[ ET_Comp_v4 ]			 exists.
[ ISC_1000_30_v4 ]		 exists.
[ ISC_Block_v4 ]		 exists.
[ Spamhaus_Drop_v4 ]		 exists.
[ Spamhaus_eDrop_v4 ]		 exists.
[ Talos_BL_v4 ]			 exists.

===[  Aliastables / Rules  ]==========================================

No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

 UPDATE PROCESS ENDED

It is blocking from my computer when I check that log, but I assume this is the IPv4 ad blocking?

Jun 3 16:12:38,1770008388,igb1,LAN,block,4,17,UDP,192.168.128.109,212.178.154.174,51149,18183,out,NL,pfB_PRI1_v4,212.178.154.174,CINS_army_v4,D4B29AAE.static.ziggozakelijk.nl,JASON,null,-
Jun 3 16:12:38,1770008388,igb1,LAN,block,4,17,UDP,192.168.128.109,212.178.154.174,51149,18183,out,NL,pfB_PRI1_v4,212.178.154.174,CINS_army_v4,D4B29AAE.static.ziggozakelijk.nl,JASON,null,-

I did have other groups enabled and it wasn't working, so I removed them all to simplify it and narrow down the problem (didn't help!).

Thanks for your time helping, it's much appreciated.

RonpfS

That's IP blocking.

It looks like it doesn't enable DNSBL, do you use the DNS Resolver ?

jayb1

@Gertjan thanks for you response.

I have 4GB of memory and it doesn't seem to be stressing that out with only a few computers on the network.

It's not showing a Shallalist log...

Perhaps I just delete pfBlockerNG and start again?

jayb1

@RonpfS said in pfBlockerNG DNSBL Categories not working:

DNS Resolver

Yes, the DNS resolver is on.

Gertjan

Extra info : I activated that 'porn' list.
unbound (the Resolver) never ended reloading- restarting.
No more DNS :> no more surf. I had to remove it ....

RonpfS

Try to un-tick Keep Settings, disable pfblockerNG, save Settings this will clear the DB.
Uninstall, Install again, reconfigure, etc, remember to click on all

jayb1

@RonpfS said in pfBlockerNG DNSBL Categories not working:

Try to un-tick Keep Settings, disable pfblockerNG, save Settings this will clear the DB.
Uninstall, Install again, reconfigure, etc, remember to click on all

This worked. I have no idea what was wrong with the first config.

RonpfS

@jayb1

gurpreets

category filtering not working when I enter custom domain it works, could you please help me do block things category wise