PfBlockerNG 2.0 & BIND 9.4



  • Hi!

    Is it possible for pfBlockerNG v2.0 w/DNSBL to work with BIND 9.4?

    How can i do this?


  • Moderator

    @simby:

    Hi!

    Is it possible for pfBlockerNG v2.0 w/DNSBL to work with BIND 9.4?

    How can i do this?

    DNSBL is hardcoded to only use Unbound. However, you can still use Bind but would have to set Binds Outbound Forwarder to point to the pfSense Resolver so that DNSBL could be utilized.



  • Hi Guys,

    Because I really like both pfBlockerNG and using a (complete) DNS Server I've done some research and build a script that allows transforming pfBlockerNG DNS Blocklists to something bind compatible. See https://github.com/gewuerzgurke84/pfSense-blockerNG2named

    Enjoy!

    Best Regards
    Alex



  • Hi @BBcan177 ,

    any chance to talk about a future integration of DNSBL feature with Bind9 from pfSense Ports?
    I've already implemented away outside of pfblockerNG to setup a configuration that contains all blocked domains, which is also compatible with the VIP. From my point of view the changes to pfblockerNG would be:

    • Write a configuration for bind which holds all domains
    • Write a dummy zone file that points to the VIP
    • Include this configuration into the bind view (choice should be left to the user)

    Best Regards


  • Moderator

    @gewuerzgurke84 said in PfBlockerNG 2.0 & BIND 9.4:

    any chance to talk about a future integration of DNSBL feature with Bind9 from pfSense Ports?
    I've already implemented away outside of pfblockerNG to setup a configuration that contains all blocked domains, which is also compatible with the VIP. From my point of view the changes to pfblockerNG would be:

    Write a configuration for bind which holds all domains
    Write a dummy zone file that points to the VIP
    Include this configuration into the bind view (choice should be left to the user)

    Best Regards

    There is a lot of work to use anything other than Unbound... So its pretty much the same answer for either DNSMasq or Bind...

    Won't this option work from my previous post:

    DNSBL is hardcoded to only use Unbound. However, you can still use Bind but would have to set Binds Outbound Forwarder to point to the pfSense Resolver so that DNSBL could be utilized.



  • Won't this option work from my previous post:

    DNSBL is hardcoded to only use Unbound. However, you can still use Bind but would have to set Binds Outbound Forwarder to point to the pfSense Resolver so that DNSBL could be utilized.

    Sure, I've succesfully tried to use unbound as bind's forwarder to allow DNSBL. The downside of this solution is the poor dns performance and the overall complexity of the setup.

    The advantages of a setup using pfBlockerNG and bind are:

    • an autoritative dns server to host local zones
    • DNSBL features in place per view (which can be similiar as defining DNSBL per Interface)
    • the functionalities from bind itsself
    • few dependencies

    I found a very nice way to put all the zones from pfBlockerNG into bind using RPZ feature. (http://www.zytrax.com/books/dns/ch9/rpz.html) This way I've added ~300.000 blocklist zones into several views with very low memory footprint :) I'll update the script into my github repo.