Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BIND filter-aaaa

    Scheduled Pinned Locked Moved DHCP and DNS
    39 Posts 10 Posters 7.3k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG Offline
      Gertjan
      last edited by

      Added to the above :

      This : /var/unbound/unbound.conf :

      # Python Module
      python:
      python-script: no-aaaa.py
      python-script: pfb_unbound.py
      

      would be nice.
      No need to edit @BBcan177 's python script !

      Guess what : unbound, the version we use - only accepts ONE python module. Not multiple modules.

      When I modify the config generating code so I obtain an unbound.conf as shown above, only the python script "no-aaaa.py" gets loaded. Not the second "pfb_unbound.py".

      Accoring to :

      d0556330-dd52-4fa5-8170-1787dc27242c-image.png

      See the last paragraph here https://nlnetlabs.nl/documentation/unbound/unbound.conf/ - it should be possible.
      Our 2.4.5-p1 unbound version is probably to old.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • M Offline
        mikekoke
        last edited by mikekoke

        I hope the next version of pfsense will integrate the functionality of using more than one python script having an updated version of unbound.

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @mikekoke
          last edited by

          @mikekoke said in BIND filter-aaaa:

          I hope the next version o

          The next version of pfBlockerNG-devel, probably the upcoming 3.0.0_4 will have the "No AAAA" build in.
          No more script files to manage. Just enter your list with host names that won't work well using IPv6, and you're done :

          03ed5349-e681-4a90-8634-c66a4fca87a7-image.png

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M A 2 Replies Last reply Reply Quote 1
          • M Offline
            mikekoke @Gertjan
            last edited by

            @gertjan
            Great news as soon as I can I will update pfblocker, can I know which domains you have added to the list?

            1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan
              last edited by

              https://forum.netgate.com/topic/159016/pfblockerng-devel-v3-0-0_5

              @mikekoke said in BIND filter-aaaa:

              which domains

              Normally : none.
              Read https://forum.netgate.com/topic/118566/netflix-and-he-net-tunnel-fixed-using-unbound-python-module

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • A Offline
                AberDino @Gertjan
                last edited by

                @gertjan
                Need a little help please...

                I upgraded my pfBlockerNG-devel from a pre-v3 version to 3.0.0_7 this afternoon. I was previously using the no-aaaa script in unbound, and I am now trying to migrate that across to pfBockerNG-devel. I think I have ticked all the required boxes and I have entered my domain list, but it only seems to work for the domains as entered, and not for any hosts which are part of that domain, i.e. it is as if each line entered is treated like an individual host.

                For example, I have entered office.com in the list, and resolution of office.com returns only an IPv4 address, but outlook.ms-acdc.office.com returns both IPv4 and IPv6 addresses. The previous no-aaaa script had "office.com." as the domain, but if I include the last "." in pfBlockerNG-devel it doesn't work at all. Effectively I want IPv4 resolution only for "*.office.com". I presume that is possible in pfBlockerNG-devel?

                Thanks

                B GertjanG 2 Replies Last reply Reply Quote 0
                • B Offline
                  bruor @AberDino
                  last edited by

                  @aberdino might be good to post this over on the announcement thread, a lot of minor changes were being patched by the dev fairly quickly as they were reported over there.

                  https://forum.netgate.com/topic/158592/pfblockerng-devel-v3-0-0-no-longer-bound-by-unbound

                  1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan @AberDino
                    last edited by Gertjan

                    @aberdino said in BIND filter-aaaa:

                    For example, I have entered office.com in the list, and resolution of office.com returns only an IPv4 address, but outlook.ms-acdc.office.com returns both IPv4 and IPv6 addresses. The previous no-aaaa script had "office.com." as the domain, but if I include the last "." in pfBlockerNG-devel it doesn't work at all. Effectively I want IPv4 resolution only for "*.office.com". I presume that is possible in pfBlockerNG-devel?

                    The upcoming version of pfBlocker, the one after 3.0.0_7 (not yet released, it's upcoming) will do this correctly :

                    Consider :
                    55fe0757-c989-4d3c-96f8-61d38e0a8e7b-image.png

                    ( do a Force Update after saving these settings ! - flush local DNS caches)

                    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host papy-team.org
                    papy-team.org has address 87.98.136.44
                    papy-team.org mail is handled by 20 mail2.papy-team.org.
                    papy-team.org mail is handled by 10 mail.papy-team.org.
                    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.papy-team.org
                    www.papy-team.org has address 87.98.136.44
                    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host pop.papy-team.org
                    pop.papy-team.org has address 87.98.136.44
                    

                    So, the domain itself, and all sub domains will be A only.

                    But - in the case of "www.test-domaine.fr" :

                    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host test-domaine.fr
                    test-domaine.fr has address 5.196.43.182
                    test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
                    test-domaine.fr mail is handled by 20 mail2.test-domaine.fr.
                    test-domaine.fr mail is handled by 10 mail.test-domaine.fr.
                    test-domaine.fr mail is handled by 30 mail.test-domaine.fr.
                    [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.test-domaine.fr
                    www.test-domaine.fr has address 5.196.43.182
                    www.test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
                    

                    Strange !!
                    Only the sub domain www.test-domaine.fr should be "A" only (no AAAA). The domain itself will return an AAAA (that's ok), but the sub domain listed in the Python no AAAA List "www.test-domaine.fr" - see above - also returns an AAAA !
                    (note : I'm using the upcoming 0.0._8 version here, not yet released)

                    I wonder :

                    .papy-team.org
                    

                    should block AAAA for the domain and all possible sub (and sub sub etc) domains ,
                    and without the starting dot, like

                    papy-team.org
                    

                    should block AAAA for the domain - and NOT for the sub domains ?

                    Remark

                    1. don't know if such a feature is needed.
                    2. The syntax with the starting dot should be inversed ? Like ".papy-team.org" is blocking this domain and all sub domains, and without the starting dot, like "papy-team.org" only that domain without doing the wildcard thing ?

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    B 1 Reply Last reply Reply Quote 0
                    • B Offline
                      bruor @Gertjan
                      last edited by bruor

                      @gertjan your suggestion sounds best to me. Make it work exactly like the dnsbl whitelist function, leading ". " for all subdomains, otherwise a single record.

                      A 1 Reply Last reply Reply Quote 0
                      • A Offline
                        AberDino @bruor
                        last edited by

                        @bruor
                        Agreed, and thank you both.

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          AberDino
                          last edited by

                          @gertjan and @bruor
                          This evening I upgraded to pfBlockerNG-devel 3.0.0_8, and I can confirm that AAAA blocking now works as indicated, i.e. with the leading "." only A records are returned for all subdomains and hosts. Many thanks for your help 👍 .

                          A 1 Reply Last reply Reply Quote 0
                          • A Offline
                            AberDino @AberDino
                            last edited by

                            @Gertjan and @bruor
                            I might have spoken too soon, as it's not working now, I'll do some further digging...

                            A 1 Reply Last reply Reply Quote 0
                            • A Offline
                              AberDino @AberDino
                              last edited by

                              @aberdino said in BIND filter-aaaa:

                              @Gertjan and @bruor
                              I might have spoken too soon, as it's not working now, I'll do some further digging...

                              Just to close this issue, I'm now on pfSense 2.5.0 with pfBlockerNG-devel 3.0.0_10 and the wildcard AAAA blocking works great. Thank you guys 👍

                              1 Reply Last reply Reply Quote 0
                              • T throwaway29 referenced this topic on
                              • N Offline
                                Nan0tEch
                                last edited by

                                I wanted to add the no-aaaa script again to unbound when I stumbled on this thread, I'm running pfsense plus 22.05 and the latest pfblocker-ng 3.1.0_7. I cannot find the no-aaaa script as a setting in pfblocker-ng as shown by @Gertjan here.

                                Where can I find these settings foor no-aaaa?

                                B johnpozJ 2 Replies Last reply Reply Quote 0
                                • B Offline
                                  bruor @Nan0tEch
                                  last edited by

                                  @nan0tech put pfblocker-ng in python mode under the DNSBL tab, "no AAAA" should be available in the list (has a lightning bolt next to it)

                                  1 Reply Last reply Reply Quote 1
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator @Nan0tEch
                                    last edited by

                                    @nan0tech this thread is quite old.. the no AAAA thing is now here for easy consumption

                                    noaaaa.jpg

                                    Per @bruor comment.. I find pictures are easier for some users.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.