Is my install of pfBlocker hosed?

bhjitsense

I've been experiencing weird issues with this lately. I have uninstalled and rebuilt from scratch, but still having 2 primary issues;
I'm running devel 2.2.5_33 and pfsense 2.4.5 p1.

1. Unlocking a domain to debug does not work. It lists it as unlocked, and even if I clear my DNS cache or use a different browser, that same domain still resolves to the VIP.

2. Firewall DNS lookup is somehow bypassing pfBlocker (Diagnostic > DNS Lookup). Anything I put in here that I know to be in DNSBL always resolves to actual IP. This used to be where I could test to see if a domain was blocked or not.

DaddyGo

@bhjitsense said in Is my install of pfBlocker hosed?:

Unlocking a domain to debug does not work. It lists it as unlocked, and even if I clear my DNS cache or use a different browser, that same domain still resolves to the VIP.

Hi,

are you using this?

@bhjitsense "Firewall DNS lookup is somehow bypassing pfBlocker (Diagnostic > DNS Lookup). Anything I put in here that I know to be in DNSBL always resolves to actual IP. This used to be where I could test to see if a domain was blocked or not."

what kind of diagnostics is what is on NGFW (real time) and let’s say an app (pfBlockerNG) can affect it?

bhjitsense

@DaddyGo
Unlocking a domain shouldn't require running an Update.

what kind of diagnostics is what is on NGFW (real time) and let’s say an app (pfBlockerNG) can affect it?

I'm not sure I understand what you're asking.

DaddyGo

@bhjitsense said in Is my install of pfBlocker hosed?:

Unlocking a domain shouldn't require running an Update.

yes, but..... pfBlockerNG works well if properly configured
(I would try it, .......you know the database)

"I'm not sure I understand what you're asking."

just watch what I show you about a domain (DNSBL of course and nslookup)

like:

and

bhjitsense

@DaddyGo
It's my understanding, if I run an update after unlocking the domain, it would then re-lock that domain. Unlocking is only temporary until a CRON update is ran.

I'm fairly certain my configuration is correct - although that's what i'm trying to determine. Obviously an update task is ran regularly, otherwise, these domains wouldn't be listed in the Reports at all.

That's interesting with your example. That's what I'm seeing too. However, I KNOW in the recent past, when I would do a DNS lookup in pfsense of a known-blocked domain (such as your example), pfsense would show the VIP address (10.10.10.1).

DaddyGo

@bhjitsense said in Is my install of pfBlocker hosed?:

It's my understanding, if I run an update after unlocking the domain, it would then re-lock that domain.

you haven’t said that so far, so this is indeed the right approach?!?

well, I'm testing and I wouldn't have thought but need an update, just look at my previous example...:

pfBlockerNG does not block, after the upgrade

@bhjitsense "That's interesting with your example. That's what I'm seeing too. However, I KNOW in the recent past, when I would do a DNS lookup in pfsense of a known-blocked domain (such as your example), pfsense would show the VIP address (10.10.10.1)."

the firewall diagnostic tools must work independently of the installed packages!
(otherwise it makes no sense to control what you block, disable, etc.)

++++edit:
I think the "UNLOCK" is not what you want, although @BBcan177 would know more about it, but I haven't seen it on the forum in a long time

bhjitsense

I ran an update, it did not unlock that domain, but running a CRON or Force did. However, just running the update, that domain is still blocked. It even shows up in the reporting as a hit, but unlocked.

bhjitsense

Even Whitelisting it still alerts and blocks.

bhjitsense

@DaddyGo I found what was causing the issue.

I have several VLANS. One of which is a Guest Wifi VLAN. I wanted pfBlocker/DNSBL to be bypassed for this VLAN. So a while back I was trying to figure out how to make that happen. Via this forum, I came up with this to put in Custom Options in DNS Resolver.

server:
    access-control-view: 192.168.2.0/24 bypass
    access-control-view: 192.168.0.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf

Where 192.168.2.0/24 is the Guest vlan. DNSBL was successfully bypassed on that VLAN with this. But after removing all this code, I now see DNS Lookup successfully shows when a domain is blocked;

Then when I Unlock the domain, it is immediately resolvable;

Apparently, the Custom Option workaround works but may cause intended or unwanted actions within pfBlocker. Hopefully this can be a native feature in the future (DNSBL bypass for specific VLAN)

DaddyGo

@bhjitsense said in Is my install of pfBlocker hosed?:

I found what was causing the issue.

The forum is good, because it makes you think...