Bypassing DNSBL for specific IPs

horse2370

@GodAtum

Couple of things to check

Make sure you do not have an extra server: statement at the very end of the DNS Resolver custom config section. This gets added by pfblockerNG automatically when it upgrades, enables etc. Sure you have, but have to ask as it still catches me out every now and then!

The other thing to check, is machine that is not being bypassed using IPv6. You will need to add a bypass for that IP address as well.

My example is for bypassing Roku's that are IPv4 only. If I was to bypass anything else on my network, I would need to add an additional bypass statement for the IPv6 /128 as most OS's now prefer IPv6 if it available.

Let me know....

kezzla

I found a better solution for myself, and stopped using pfblockerng. I wanted to have better policy based dns blocking per network. I have my kids home doing school full time now thanks to covid. So I have them on their own vlan, and I block all kinds of stuff for their network. But on my own private network I just want ad-blocking only, and I can do this easily with NxFilter.

You can install NxFilter on pfSense:

GitHub - DeepWoods/nxfilter-pfsense: NxFilter install on pfSense
https://github.com/DeepWoods/nxfilter-pfsense

Then I found this vid on Youtube for a quick tutorial on setting it up:

Raspberry Pi Home Server - NxFilter Tutorial - YouTube
https://www.youtube.com/watch?v=l4mOFRQZoOU&t=2s

So I have disabled the pfSense resolver (unbound) and pfBlocker and am only using nxfilter for dns. My pfsense memory usage has come way down, and it feels snappier while browsing. For some reason, dns resolution would hang randomly from time to time when I was using pfblocker, got sick of debugging it.

Before this, I was using pfblocker for pretty much everything on my all my networks, and set up a pihole server in a VM on my freenas box. So dumb to just run a separate adblocking dns server, but that's what I did. So I have scrapped that VM now and my pfsense box is back to doing all the dns.

Just thought I would share, as someone might require similar functionality.

GodAtum

@horse2370 thanks I had a server:include: /var/unbound/pfb_dnsbl.*conf on the end!

Risfold

Thank you to all who commented here. I didn't know views were possible in unbound until reviewing this post. I was working through implementing this in my use case which is different than others here. I wanted to comment and share in case anyone else has a similar issue.

tldr: listing only networks for bypassing dnsbl, with defaulting to use of dnsbl for clients

I have many networks (vpns, vlans, etc.), and wanted to configure the use of dnsbl as a default from any network except for specific clients or networks listed. In the examples above, each network has to be listed as either dnsbl or bypass. I didn't want to have to list all networks, and only list bypass IPs/networks since most will use dnsbl.

The key I found to get this working was to set

view-first: no

This wasn't entirely clear to me from the unbound documentation, but seems to work as ignoring the default settings.

I also tried entering a view network such below, to cover all possible private IPs. But these didn't work:

access-control-view: 172.16.0.0/12 bypass_dnsbl
access-control-view: 192.168.0.0/16 bypass_dnsbl

My working config is here:

server:
include: /var/unbound/pfb_dnsbl.*conf
access-control-view: 172.20.0.0/24 bypass_dnsbl #guest vlan
view:
    name: "bypass_dnsbl"
    view-first: no
    include: /var/unbound/host_entries.conf #Host overrides AND DHCP reservations
    include: /var/unbound/dhcpleases_entries.conf #DHCP leases

I think this would also have the added benefit of pfblocker not re-adding the "include:" config, but not entirely sure since I have only added recently. If anyone notices an issue with this, please let me know!

fabioccoelho

Hello everyone, is there a possibility to allow a particular host or network to access a certain category of dnsbl? Example: IP 192.168.0.1 access the social networks category and continue with the rest blocked?

Thanks.

Risfold

@fabioccoelho said in Bypassing DNSBL for specific IPs:

Hello everyone, is there a possibility to allow a particular host or network to access a certain category of dnsbl? Example: IP 192.168.0.1 access the social networks category and continue with the rest blocked?

Thanks.

Looks like its being worked on, good timing.
https://www.reddit.com/r/pfBlockerNG/comments/kdg5wq/preliminary_dnsbl_group_policy/

Without these upcoming features, what you want to do would be pretty complicated. I have previously set up different pfsense/pfblocker instances to to accomplish this.

fabioccoelho

@risfold Thanks a lot :-)

SmokinMoJoe

This thread started in 2018 and has comments up to the end of 2020.

Do we have an option in the gui to allow one or more ip addresses or hosts to do unblocked DNS?

What I am looking for is something in the GUI that is stable and will stay when doing upgrades. Command line tricks and extra config files are not what I am asking for.

Thanks,
Joe

Gertjan

@smokinmojoe

On the Firewall > pfBlockerNG > DNSBL page :

GodAtum

@gertjan I'm not getting that on the page. Using v3.0.0_16 on pfsense 2.5.1

kezzla

@godatum Check the reddit link posted above, there is a tip that says to switch to python mode for the option to become available:

Preliminary DNSBL Group Policy : pfBlockerNG
https://www.reddit.com/r/pfBlockerNG/comments/kdg5wq/preliminary_dnsbl_group_policy/

Gertjan

Yep, this box should be checked :

turbotater19

Here from Reddit, then Mayfield IT...
I've got a setup where I'd like to bypass pfBlockerNG for one single entire interface but keep it enabled for my other 2 interfaces. Interfaces "LAN1" (10.0.0.0 /24) and "Crapwork" (192.168.0.0 /24) should still get the full pfBlockerNG treatment (DNSBL+IPBL) while the unlucky guests on interface "BARN" (172.16.0.0 /24) won't and will have to see ads and get random IPs from bad places poking around!

Would I need to enter the below into the "custom options" box in DNS resolver settings and then also make sure interface "BARN" is not selected (while LAN1 and Crapwork are) in the "Outbound Firewall Rules" section of IP tab under pfBlockerNG?

server:
    access-control-view: 172.16.0.0/24 bypass
    access-control-view: 10.0.0.0/24 dnsbl
    access-control-view: 192.168.0.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf

Or should I update pfSense (on 2.4.5 yikes) and then update pfBlockerNG (on 2.2.5_30) and use the Bypass IPs field where I'd put (presumably) 172.16.0.0/24 and then same as above for IPBL settings?

Gertjan

@turbotater19 said in Bypassing DNSBL for specific IPs:

Or should I update pfSense (on 2.4.5 yikes)

Back then, as for as I can remember, you had to enter the custom unbound parameters (like you showed - can't tell if they are correct, though).

The latest pfSense, and the latest pfBlockerNG makes it possible to exclude IP (or even networks ?) using the pfBlockerNG GUI.
Select the (DNSBL) 'Python Group Policy' option and fill in the IP's.

turbotater19

@gertjan said in Bypassing DNSBL for specific IPs:

Back then, as for as I can remember, you had to enter the custom unbound parameters (like you showed - can't tell if they are correct, though).

The latest pfSense, and the latest pfBlockerNG makes it possible to exclude IP (or even networks ?) using the pfBlockerNG GUI.
Select the (DNSBL) 'Python Group Policy' option and fill in the IP's.

Thanks for the reply. I guess then what I'm asking for is if anyone thinks my code is correct for keeping DNSBL active on 2 of my 3 interfaces while the one interface gets bypassed. All the examples I've seen appear to show a single IP bypassed while the rest are blocked or 2 VLANs.

Also, to implement this (provided I don't just update pfSense and then update pfBlockerNG), do I disable pfBlockerNG, add lines into custom options, save, then start pfBlockerNG? Or do I add this into custom options while pfBlockerNG is enabled?

turbotater19

I pasted my code in and initially it didn't work. Took out the leading spaces on each line and that fixed it, working as I'd hoped!

Overlord

@gertjan
I can't find it? Is it removed?

I'm trying to find a solution to unblock an IP, which is one of my blocklist as false positive.

Gertjan

@overlord said in Bypassing DNSBL for specific IPs:

I can't find it?

Find what ?
The initial - see above - is "how to bypass a specific IP".
Reading the post shows that @Ns8h wanted to exclude a LAN device from being DNSBL'ed by pfBlocker - this was in 2018.

Or do you man : You want to whitelist an IP ( or DNSBL ?) from a list/feed you use ?
In that case, go to Firewall > pfBlockerNG > Alerts and look up the line where the IP was blocked. Example :

if I want to unblock "8.8.8.8" blocked by the firewall rule pfB_DoH_IP_v4 (uses an alais that contains all the IPs from the TheGreatWall_DoH... DNDBL feed, I have to move the mouse to the red padlock, click and follow the instructions.
This measure is temporary - as stated.

Clicking on the black + sign is permanent :

Just follow the instructions.

shon

@gertjan said in Bypassing DNSBL for specific IPs:

Yep, this box should be checked :

This did not work for me at all, and neither using custom unbound views. Not sure where else to look.

Gertjan

@shon

Just checking "Python Group Policy" does nothing.
It's stated that "Enable the Python Group Policy functionality to allow certain Local LAN IPs to bypass DNSBL"

So certain local IPs have to be entered.

Like :

edit :

I didn't have any DNSBIl activated, so I activated one.
This one :

Take a look at the feed text, and you find the last entry :
avsvmcloud.com

On my PC with the IP 192.168.1.2 (on the policy list - see my image above) I could obtain an IP :

Or, on another PC using IP 192.168.1.9, I obtained "0.0.0.0" == DNSBL blocked ( I'm not using the build in pfBlockerNG web server, if I was, I would have received 10.10.10.1 ).

My conclusion : Group policy works.

I did not test IPv6 here. For IPv4 it worked.