DNSBL not creating firewall rules

A Former User

@antonio-briguglio
https://www.firewallhardware.it/pfblockng-filtraggio-domini-e-url/
configure as described in the two guides. A guide is in Italian but with screenshoots and easy to understand

FredMcfly

@antonio-briguglio
I have tried to use these, but only part of it applies because I am using pfBlockerNG-devel 3.0.0_15 and the instructions at those websites use pfBlockerNG 2.x Release. So a lot of the options are no longer in version 3.0.0_15.

FredMcfly

@antonio-briguglio
Yes, I reinstalled pflbockerng several times as well, in fact I even reinstalled pfSense from scratch.

FredMcfly

I even removed version 3.0 (Keep settings was not checked) and installed 2.1.4_25 and I still cannot block websites.

Bob.Dig

@fredmcfly DNSBL doesn't need any firewall rules, it is blocked in DNS.

FredMcfly

@bob-dig
That makes sense. Didn't think about that. But then why aren't websites blocked?

Bob.Dig

@fredmcfly said in DNSBL not creating firewall rules:

Websites that should be blocked do show up in the Reports->Alerts tab.

That is like it should be.

FredMcfly

@bob-dig But I can still access the websites.

Bob.Dig

@fredmcfly Give an example with screenshot. It is working here.
Edit: Maybe your Browser is not using the pfSense DNS but something different, maybe even DoH.

FredMcfly

@bob-dig
So only some of the websites are being logged. But ones that aren't blocked are not logged.

Bob.Dig

@fredmcfly said in DNSBL not creating firewall rules:

But ones that aren't blocked are not logged.

Which is again normal.

FredMcfly

@bob-dig I agree that it is normal to have a log for a website that is blocked.

So any ideas why a website that is listed in the block list, fails to be blocked?

I have added rules to block DNS requests to the outside following this recipe.

Basically it blocks all outside DNS requests but allows requests to the local DNS Resolver.

Bob.Dig

@fredmcfly For example, you probably can't block DoH like this, so you have to check your browser settings.
Also post some screenshots what you have done and what is not working as expected.

FredMcfly

@bob-dig
OK, I checked the browser and it is not using DoH, see figure below or click on this link:

Here are my DNSBL settings:

DNSL Feeds

My blacklist feed settings:

When I do a force update, the feeds are downloaded and updated. Including my blacklist.

===[ DNSBL Domain/IP Counts ] ===================================

 1221752 total
  704572 /var/db/pfblockerng/dnsbl/Shallalist_porn.txt
  150125 /var/db/pfblockerng/dnsbl/Maltrail_BD.txt
  122595 /var/db/pfblockerng/dnsbl/C19_CTC.txt
   97559 /var/db/pfblockerng/dnsbl/Shallalist_porn_v4.ip
   29312 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt
   28363 /var/db/pfblockerng/dnsbl/Shallalist_redirector.txt
   14523 /var/db/pfblockerng/dnsbl/Shallalist_gamble.txt
   14273 /var/db/pfblockerng/dnsbl/SWC.txt
   10633 /var/db/pfblockerng/dnsbl/EasyList.txt
    8449 /var/db/pfblockerng/dnsbl/Adaway.txt
    6999 /var/db/pfblockerng/dnsbl/Spam404.txt
    6827 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt
    6612 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn_v4.ip
    6435 /var/db/pfblockerng/dnsbl/MVPS.txt
    3034 /var/db/pfblockerng/dnsbl/Shallalist_dating.txt
    2507 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt
    1985 /var/db/pfblockerng/dnsbl/Krisk_C19.txt
    1951 /var/db/pfblockerng/dnsbl/Shallalist_models.txt
    1464 /var/db/pfblockerng/dnsbl/Yoyo.txt
    1180 /var/db/pfblockerng/dnsbl/Shallalist_redirector_v4.ip
    1146 /var/db/pfblockerng/dnsbl/Shallalist_sex_lingerie.txt
     482 /var/db/pfblockerng/dnsbl/myblacklist.txt
     390 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn.txt
     158 /var/db/pfblockerng/dnsbl/Shallalist_sex_education.txt
      98 /var/db/pfblockerng/dnsbl/Juniper_v4.ip
      42 /var/db/pfblockerng/dnsbl/Shallalist_gamble_v4.ip
      23 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt
       6 /var/db/pfblockerng/dnsbl/Juniper.txt
       5 /var/db/pfblockerng/dnsbl/myblacklist_v4.ip
       2 /var/db/pfblockerng/dnsbl/EasyList_v4.ip
       1 /var/db/pfblockerng/dnsbl/Shallalist_models_v4.ip

If I look at myblacklist_v4.txt I find the following lines as expected:

local-data: "redd.it 60 IN A 10.10.10.1"
local-data: "reddit-com.poiu.icu 60 IN A 10.10.10.1"
local-data: "reddit.com 60 IN A 10.10.10.1"
local-data: "reddup.co 60 IN A 10.10.10.1"

But if I enter reddit.com in my browser, I can still access it and click on links. So the website is not cached in the browser and it is not blocked.

pfSense says my DNS servers are as follows:

Any other information that may be helpful?

FredMcfly

Here are my Firewall rules to block DNS request to ports 53 and 853, and to force DNS request to local:

FredMcfly

DNS Resolver Settings:

FredMcfly

So I did some experimenting and some websites in my list are indeed blocked, but other websites are not blocked even though they are listed in the file /var/db/pfblockerng/dnsbl/myblacklist.txt

I'm not sure why this is happening.

Bob.Dig

I added reddit.com to the DNSBL Custom_List of malicious and it worked, after pfBlocker run the usual update.
Also I don't needed any firewallrules for that, because it is all dns based.

Edit: I tried your list, problem seems to be that reddit.com is blocked, but not www.reddit.com.

FredMcfly

@bob-dig
I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)

I have tried on different computers on the network and they can still access it.

I have also tried on three different browsers.

I am really confused why some sites are blocked while others are not.