Pfblockerng and domain lists

BBcan177

It seems that I am missing some code to translate a file of domain names to their respective IPs :) Not a typical use case… Will try to get that added into the next release... But you should be able to add those domains to the Custom List and check the "Enable Domain/AS" checkbox....

But ultimately, best to use DNSBL for Domains...

Thanks for reporting...

louiss

Glad to help. Being used to working with commercial vendors, it isn't often I get to speak to the developers directly. I appreciate the work you put into this tool. It is vastly helpful.

As far as logging, I just created a rule to block traffic to the DNSBL port 8081 and 8443 so it seems to be logging just fine.

louiss

Seems that the Alerts section for DNSBL isn't functioning properly. I don't see anything under Alerts and DNSBL, but DNSBL is definitely functioning as expected as far as blocking domains.

Here is what the log file shows:

[prompt]/var/log/pfblockerng: ls
dnsbl_error.log pfblockerng.log

[prompt]/var/log/pfblockerng: cat dnsbl_error.log
2016-06-16 09:09:05: (log.c.194) server started
2016-06-16 09:15:24: (server.c.1572) server stopped by UID = 0 PID = 54362
2016-06-16 09:17:01: (log.c.194) server started

BBcan177

@louiss:

As far as logging, I just created a rule to block traffic to the DNSBL port 8081 and 8443 so it seems to be logging just fine.

The rule(s) that you created here is what broke DNSBL Logging to the Alerts Tab… Instead of using "Deny/reject"... Move the rule to the "Floating Tab" and use "Match" rule instead...  Not sure tho what these rules will log. Might just be the LAN device that is being redirected to the DNSBL VIP... Won't show the Domain being blocked, or the List that caused the block....

I have on the todo list, adding syslog for DNSBL...

louiss

Ok tried that, but still not seeing anything under alerts for DNSBL. The floating rules provided the same information that my deny rules did, basically just the source IP and 127.0.0.1 as destination and port 8081/8444. I even removed the package and re-configured in Pfsense. I don't even see the dnsbl.log, only dnsbl.error.log.

BBcan177

Checklist:

1. DNSBL Service is running?
2. Ensure the LAN devices have pfSense Resolver as its only DNS Server
3. Can the LAN devices ping the DNSBL VIP?
4. Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?

louiss

1. DNSBL Service is running?

Verified it is running.

2. Ensure the LAN devices have pfSense Resolver as its only DNS Server

Yes, this is the case.

3. Can the LAN devices ping the DNSBL VIP?

I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.

4. Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?

No, I just get a timed out page.

louiss

So just to test, I changed the DNSBL VIP to match the IP address on the Bridge interface which is also the DNS server. This works, I see a 1x1 and I see Alerts now for DNSBL.

What do most people use for this VIP? The client needs to be able to route to it obviously. I'm wondering if the bridged interfaces (LAN/WAN) have anything to do why a bogus VIP doesn't respond in this case?

BBcan177

@louiss:

3. Can the LAN devices ping the DNSBL VIP?

I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.

4. Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?

No, I just get a timed out page.

ok need to fix those issues… If you have a multi-segmented LAN, there is an option to auto-create a Floating Permit Rule to allow other LAN subnets to hit the DNSBL VIP... See the checkbox in the DNSBL Tab...

louiss

With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.

BBcan177

@louiss:

With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.

First step is to figure out what is blocking the LAN devices from hitting (ping and browse) the DNSBL VIP… Could be a Firewall Rule/NAT/Limiter etc....

louiss

Here is what I found. I restored my Layer 3 configuration for Pfsense where the LAN interface is routing and things work as expected even when bogus DNSBL VIP isn't routable to rest of network. I use 172.16.100.0/24 for LAN and 198.18.100.100 for VIP. It seems like this is because I was in bridge mode. Worst case, I just don't have the DNSBL logs with domains in bridge mode and just raw logs to 8081/8443.

BBcan177

Bridges are generally an issue… If you run an "ifconfig" does the bridged interface show an IP? Keep note that the DNSBL VIP is an "alias IP", so the chosen DNSBL Interface should be a real interface. Not an expert in bridges either... :)

louiss

172.16.100.200 is the IP I assigned and is being used as DNS server. 198.18.100.100 is the VIP.

bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether 02:7e:6a:cb:6f:00
        inet 172.16.100.200 netmask 0xffffff00 broadcast 172.16.100.255
        inet 198.18.100.100 netmask 0xffffffff broadcast 198.18.100.100</up,broadcast,running,simplex,multicast>

louiss

Confirmed that the DNSBL VIP will not be accessible when Pfsense is in bridge mode even when the Bridge logical interface is used for DNSBL listening. It works fine in Layer 3 mode and DNSBL alerts are visible.