pfBlockerNG not working

BBcan177

If you have an AD/DHCP/DNS Server, then make sure that all Lan devices are pointing their DNS Settings to you AD/DNS server. Then set the AD DNS server "Forwarder" to pfSense, so that DNSBL can filter those requests.

MrPutin

@BBcan177
Then set the AD DNS server "Forwarder" to pfSense, so that DNSBL can filter those requests. >>>This is my silly mistake, thank you very much for your help !!!

shoaib

@MrPutin I am facing the same problem, could you please guide me as well. i am using pfsense as my dns server but still can't make it work. also i have vpn configured ipsec and lan2 .. maybe that's causing the problem..

Gertjan

@shoaib said in pfBlockerNG not working:

also i have vpn configured ipsec and lan2 .. maybe that's causing the problem..

Well ????
Ditch that VPN and ipsec and re-test.

if not,

@shoaib said in pfBlockerNG not working:

same problem

This was already solved :

@BBcan177 said in pfBlockerNG not working:

What problem are you having? I can't diagnose without any relevant information? Logs? Description?

UWLane

@BBcan177
I am having an issue where my local machine is not redirecting all dns traffic to local host. I have the firewall rules in place as per instructions to catch all other outbound dns requests other than local dns but it doesn't block. Just wondering if you can assist?

malf0rmedZ

Hi, I have a similar problem and setup.

I'm using DNSBL with a few block lists. I followed this setup guide.

My main concern is blocking porn as I have kids at home.

In my tests yesterday, some websites were blocked and some that are clearly in the lists were not.

Today I enabled DNSBL again without really making any changes (apart for the daily pfSense reboot) and now porn sites are blocked.

I'll shed more details on the problem and my setup:

An example site is porn(h)ub. It is in the block list but I could still browse it.

Here are screenshots of my setup:
https://imgur.com/a/P3ADnd8

JeGr

@UWLane said in pfBlockerNG not working:

I am having an issue where my local machine is not redirecting all dns traffic to local host. I have the firewall rules in place as per instructions to catch all other outbound dns requests other than local dns but it doesn't block. Just wondering if you can assist?

What's that to do with pfBlocker? If your local machine is not "redirecting" all dns traffic to localhost(? what do you mean by that?) - there's nothing pfsense or pfblocker can do.

You can catch DNS and DoT requests with the firewall and redirect it to pfsense so unbound is used but if your client uses some sort of DoH (DNS over HTTPS) there's nothing pfsense, pfblocker or anyone can do besides you stop your client using that application/setting.

Gertjan

This :

conflicts with this :
Please read again the "fine print" :

Also :

which opens the way to :
A DNS request that exists on ("in") pfSEnse can go to 127.0.0.1 - Unbound or Dnsmas (the forwarder), who ever is servering DNS,
Or
to 185............. (why did you hide this IP ?)
or
to 195............. (why did you hide this IP ?)

185........ and 195...... do also DNSBL for you ? If so, do you control 'them' ?

@malf0rmedZ said in pfBlockerNG not working:

I followed this setup guide.

Re read this :

I guess you understand know what this means ;)
@malf0rmedZ said in pfBlockerNG not working:

In my tests yesterday, some websites were blocked and some that are clearly in the lists were not.

What web sites ?
Which feeds ?

malf0rmedZ

@Gertjan, thanks for pointing out my misconfigurations, do note that my DNS clients are pointing to the domain controller which uses pfSense as the DNS forwarder (see Windows DNS server screenshot).

I guess I don't fully understand what I should do so if you could please advise that would be much appreciated. Thanks!

Gertjan

Check your DHCP sever.
Does it hand out the correct DNS info to the (your) LAN network clients ?
If needed, check all these clients, see what DNS they use.

Read this : Home > pfSense Software > DHCP and DNS the very first thread "Be aware of Trusted Recursive Resolver (TRR) in Firefox" knowing that it's not only Firefox that can do "DoT" .... most browser - and other applications (!) can do DoT these days.
Which means that "the phone of your kid" can have Apps that don't bother with your "pfBlockerNG - DNSBL", they surpass it completely.
It's like https traffic that can not be intercepted,. This includes the CIA, NSA and KGB (or what ever they call themselves these days).
Blocking outgoing port 853, TCP and UDP might help here, and even forcing to use your DNS ** - not some one else's DNS.

** see them pfSense manual.

malf0rmedZ

Yes my DHCP clients are getting the correct DNS server address (domain controller with pfSense as the forwarder).

From your response I still don’t understand what I need to correct in my settings. I sent detailed screenshots so all the configuration information is there. “Do 1...2...3....” type instructions would be ideal, I can’t be that far off from the correct settings I would think.

If someone could please assist that would be much appreciated :)

RonpfS

@malf0rmedZ said in pfBlockerNG not working:

https://i.imgur.com/FOf0DWd.png

You should click on the Infoblock to get the right settings : The " + " isn't allowed in group name

malf0rmedZ

Thanks RonpfS

@bmeeks your unique explanation abilities will be mightily appreciated - if you can assist in distilling the above comments into clear steps I need to take that will be a huge help. Thanks in advance

malf0rmedZ

@Gertjan said in pfBlockerNG not working:

This :

conflicts with this :
Please read again the "fine print" :

Can you please explain how these settings conflict? To me having both enabled makes total sense since this enables query forwarding which is required.

Also :

which opens the way to :
A DNS request that exists on ("in") pfSEnse can go to 127.0.0.1 - Unbound or Dnsmas (the forwarder), who ever is servering DNS,
Or
to 185............. (why did you hide this IP ?)
or
to 195............. (why did you hide this IP ?)

185........ and 195...... do also DNSBL for you ? If so, do you control 'them' ?

Can you please explain here what your recommendation is?

@malf0rmedZ said in pfBlockerNG not working:

I followed this setup guide.

Re read this :

I guess you understand know what this means ;)

As mentioned, my clients point to the domain controller which has pfsense configured as the only forwarder, therefore this requirement is satisifed.

@malf0rmedZ said in pfBlockerNG not working:

In my tests yesterday, some websites were blocked and some that are clearly in the lists were not.

What web sites ?
Which feeds ?

The websites in these tests were pornhub and reddit. Please note the screenshots I provided are post this problem (i.e., at that point it was suddenly working as you'll see in the dnsbl log screenshot)

Gertjan

@malf0rmedZ said in pfBlockerNG not working:

these settings conflict?

Unbound should work as a resolver, not a forwarder. You are forwarding.

@malf0rmedZ said in pfBlockerNG not working:

recommendation

Remove 185.... and 195 ....

malf0rmedZ

@Gertjan
Thank you, but if I remove those servers from System/General which upstream forwarders will Unbound use?

Gertjan

Ready to learn what a resolver actually is ? ;)
See here https://en.wikipedia.org/wiki/Domain_Name_System#DNS_resolvers - the last phrase.

.... For example, a possible resolution of www.example.com would query a global root server, then a "com" server, and finally an "example.com" server.

Internet uses IP's and doesn't know anything about domain names.
When humans use endless lists of numbers, things bcome messy, so domain names and host names are invented.

These 13 servers https://en.wikipedia.org/wiki/Root_name_server are hardcoded in each resolvers. One of them is used, and the host name is resolved as shown.

A resolver can look up zone details without the need to ask some other DNS system.
For example, you could forward all your DNS request to 8.8.8.8 - 8.8.8.8 is a resolver.

malf0rmedZ

Thank you, I'm always ready to learn :) In this case I know exactly what a resolver is. Please note using root hints as resolvers is not recommended, using ISP DNS servers is the best choice as this provides caching and reduces the load on root hints. Also, using Google DNS servers equals totally giving up on your privacy which defeats the whole purpose of this exercise...

Therefore, I am wondering if there's a way to use my ISP servers and not root hints with this setup?

Gertjan

@malf0rmedZ said in pfBlockerNG not working:

Please note using root hints as resolvers is not recommended, using ISP DNS servers is the best choice as this provides caching and reduces the load on root hints

That was in the old days.
These days, DNSSEC exists, which only works while resolving from top to bottom.
ISP DNS servers still exists, their usage isn't mandatory any more.

JeGr

@malf0rmedZ said in pfBlockerNG not working:

Please note using root hints as resolvers is not recommended, using ISP DNS servers is the best choice as this provides caching and reduces the load on root hints.

Nope you explained what a forwarder will do. It will forward to another system and use that for caching etc.
A resolver "resolves" the domain like @Gertjan describes by resolving it from back (tld) to front. Also a resolver includes caching itself, validates DNSSEC and is able to still goes on functioning for 99% of all domains when those forwarders others use are down again - like many of those cited ISP servers are multiple times a year. I'd never use my ISPs DNS as they have a history of "redirecting" you to other "helpful" sites instead of delivering NXDOMAIN answers. A resolver protects against such acts.