PfblockerNG not working

tushar

I did everything as mentioned by BBcan177 pfsense forum still unable to block ADs or any kind of malicious website even youtube ADs are still appearing :(

Setup done Virtualbox pfsense first adapter Bridge mode and second adapter internal network, Linux machine VBOX Lubuntu connected via internet network to pfsense.

pfsense - 2.3.2-RELEASE (amd64)
built on Tue Jul 19 12:44:43 CDT 2016
FreeBSD 10.3-RELEASE-p5

pfBlockerNG Version - 2.1.1_4

check pfblockerNG settings screenshot attached

RonpfS

@tushar:

I did everything as mentioned by BBcan177 pfsense forum still unable to block ADs or any kind of malicious website even youtube ADs are still appearing :(

Setup done Virtualbox pfsense first adapter Bridge mode and second adapter internal network, Linux machine VBOX Lubuntu connected via internet network to pfsense.

pfsense - 2.3.2-RELEASE (amd64)
built on Tue Jul 19 12:44:43 CDT 2016
FreeBSD 10.3-RELEASE-p5

pfBlockerNG Version - 2.1.1_4

check pfblockerNG settings screenshot attached

Which BBcan177 instructions did you follow to setup your pfblockerng? There are so many posts that maybe to use something obsolete with 2.1.1_4.

Go to Status / Services and restart unbound, this will make it log to Status / System Logs / System / DNS Resolver

I see in the widget that your IPV4 list are empty? Did you ran a Force Reload All ? Then have look at pfblockerng.log extras.log, system logs and Resolver Logs.

Go to Diagnostics / DNS Lookup and resolve some domain name in your table (like 0hna.com) it should answer 10.10.10.1.

Does you Linux box DNS point to pfsense ?

BBcan177

Hi tushar,

Not sure if you have resolved your issue, but if you look at the previous screenshot from the Widget, there are pfSense Notices listed with the "Bell Icon" near the top.

What do those notices report? I am assuming that its a "cannot define table" error… which can be fixed by going to the pfSense Adv GUI | Firewall/NAT | and changing the Firewall Maximum Table Entries to 10000000

If its another message, post back.

tushar

Hi BBcan177,

rebooted and deleted all ipv4 created feeds, only using DNSBL Feeds,
all bell notifications gone, blocking Ads working now but not sure fully…

looks like because DNSBL Easy List not working no p0rn site blocking....

Ok. it looks PFsenseNG just ADs filter filtering all background malicious junk trying to steal info from machine

UPDATE PROCESS START [ 08/30/16 21:49:51 ]

===[  DNSBL Process  ]================================================

[ EasyList ] exists.
[ yoyo ] exists.
[ hpHosts_ads ] exists.
[ Adaway ] exists.
[ Cameleon ] exists.
[ SWC ] exists.
[ hpHosts ] exists.
[ spam404 ] exists.
[ MVPS ] exists.
[ MDL ] exists.
[ dShield_SD ] exists.
[ Zeus ] exists.
[ hpHosts_partial ] exists.
[ DNSBL_IP ] Updating aliastable…
  no changes.
  Total IP count = 29

===[  Continent Process  ]============================================

===[  IPv6 Process  ]=================================================

===[  Aliastables / Rules  ]==========================================

No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

UPDATE PROCESS ENDED [ 08/30/16 21:49:52 ]

Mr. Jingles

@RonpfS:

Go to Diagnostics / DNS Lookup and resolve some domain name in your table (like 0hna.com) it should answer 10.10.10.1.

Interesting, because mine (dedicated box, not virtual machine), says:

Results   Result Record type    98.124.243.35A

And not 10.10.10.1.

Running BB's latest package, and pfsense's latest version.

RonpfS

@Mr.:

@RonpfS:

Go to Diagnostics / DNS Lookup and resolve some domain name in your table (like 0hna.com) it should answer 10.10.10.1.

Interesting, because mine (dedicated box, not virtual machine), says:

Results   Result Record type    98.124.243.35A

And not 10.10.10.1.

Running BB's latest package, and pfsense's latest version.

I took 0hna.com as an example that is in the http://hosts-file.net/ad_servers.txt blocklist.
Maybe your system doesn't use that blocklist or it is whitelisted.

drill @8.8.8.8 0hna.com

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7240
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 0hna.com.	IN	A

;; ANSWER SECTION:
0hna.com.	1799	IN	A	98.124.243.35

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 305 msec
;; SERVER: 8.8.8.8
;; WHEN: Wed Aug 31 14:59:05 2016
;; MSG SIZE  rcvd: 42

Take a FQDN that you are blocking on your setup to test.

tushar

same problem here also 0hna.com and im using http://hosts-file.net/ad_servers.txt in my DNSBL Feed list

Results
Result Record type
98.124.243.35 A
Timings
Name server Query time
8.8.8.8 23 msec
8.8.4.4 24 msec

for 123stat.com

Results
Result Record type
23.253.181.93 A
Timings
Name server Query time
8.8.8.8 39 msec
8.8.4.4 29 msec

RonpfS

Mine returns :

Results
Result 	Record type
10.10.10.1	A
Timings
Name server 	Query time
127.0.0.1

So you then have to look at how you setup DNS resolving on your FW.
And click the Info blue infoblock Icon in the Firewall / pfBlockerNG / DNSBL tab

And maybe read the first posts of each of these threads:
pfBlockerNG
pfBlockerNG v2.0 w/DNSBL
pfBlockerNG v2.1 w/TLD

tushar

Ok i found out that culprit    System/General Setup/ -  DNS Server Settings i put 8.8.8.8 and 8.8.4.4. after deleting it :)

One more thing how do i know which DNS IP im using on my pfsense. on all my DHCP enabled machine they are in DNS 192.168.2.1 ip of pfsense.

    DiagnosticsDNS Lookup for 123stat.com

DNS Lookup
Hostname
Results
Result 	Record type
10.10.10.1	A
Timings
Name server 	Query time

RonpfS

@tushar:

Ok i found out that culprit    System/General Setup/ -  DNS Server Settings i put 8.8.8.8 and 8.8.4.4. after deleting it :)

One more thing how do i know which DNS IP im using on my pfsense. on all my DHCP enabled machine they are in DNS 192.168.2.1 ip of pfsense.

    DiagnosticsDNS Lookup for 123stat.com

DNS Lookup
Hostname
Results
Result 	Record type
10.10.10.1	A
Timings
Name server 	Query time

I can't tell you because you didn't include the last line of the DNS Lookup output.

Your FW will use what you configured in the General Setup page, click on the to see more information.

Then visit the Services / DNS Resolver and Services / DHCP Server tabs and read the information. You will notice that there is plenty of information on https://doc.pfsense.org

tushar

please check attachment screenshot….

looks like its working now redirecting to virtual IP of pfsense, one thing if someone manually enter dns server on machine google pub dns ip then any solution for that...

RonpfS

@tushar:

please check attachment screenshot….

looks like its working now redirecting to virtual IP of pfsense, one thing if someone manually enter dns server on machine google pub dns ip then any solution for that...

In order for DNSBL to function, the FW has to use DNS Resolver, and you have to leave the DNS Server blank in General / Setup. Also all clients have to use the FW IP for DNS services.If you plan to use the DNS Resolver in forwarding mode, then read BBCan177 in the first page of pfBlockerNG v2.0 w/DNSBL https://forum.pfsense.org/index.php?topic=102470.msg572527#msg572527 .
There are some DNS Server that won't support DNSSEC.

To be certain that the Resolver logs to Status / System Logs / System / DNS Resolver after a system reboot, you may have to restart unbound under Status / Services.

Mr. Jingles

@RonpfS:

and you have to leave the DNS Server blank in General / Setup.

Thanks Ron, new to me  :P

Especially since in setup/general it says:

When using multiple WAN connections there should be at least one unique DNS server per gateway

I have dual WAN so I can't leave it blank (?)

RonpfS

@Mr.:

@RonpfS:

and you have to leave the DNS Server blank in General / Setup.

Thanks Ron, new to me  :P

Especially since in setup/general it says:

When using multiple WAN connections there should be at least one unique DNS server per gateway

I have dual WAN so I can't leave it blank (?)

I don't have multiple WAN connections at the moment, so I might be wrong.

But with DNSBL everything has to go to the Resolver for DNSBL to function.

In this case there is only one WAN as on my system. By leaving it blank, pfsense will use 127.0.0.1 if the Disable DNS Forwarder  isn't check

By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups.

Diagnostics / DNS Lookup on the FW will use the Resolver and will redirect to the VIP when a Domain is blocked by pfBlockerNG DNSBL.

If DNS servers are used in the General Setup, the FW bypass the resolver and DNSBL. But clients pointing to the DNS resolver will still have DNSBL blocking.
In this situation you can't use the Diagnostics / DNS Lookup on the FW for debugging DNSBL. You then need to do DNS Lookup on clients that point to the Resolver.

However if the DNS Resolver is configured in "Forwarder mode", the everyone including pfSense will use the DNS settings and bypass the Resolver and DNSBL.

RonpfS

@Mr.:

When using multiple WAN connections there should be at least one unique DNS server per gateway

The recommandation probably comes from pfSense version previous to 2.2, when DNS Forwarder was the default. With the DNS Forwarder, it was good practice to have a DNS server per WAN gateway to provide for redundancy in the event of a gateway going down.

Since 2.2 the default changed to DNS Resolver, so I don't think there is a need to put any DNS Server in General Setup with Enable Forwarding Mode disabled. Unbound will contact the Root Servers and provide name service on it's own.

stan-qaz

I'd like to run pfBlocker with the DNSBLS enabled for one of my LANs but not the rest of them. The reason for that is I have Android tablets and Chromebooks that are nearly unusable for web browsing without external ad-blocking but for my PCs and laptops I want to use blocking software on each machine that is a bit more flexible and simple for the users to work with.

I have the firewall rule system of pfBlocker running on the WiFi LAN that the tablets and chromebooks connect to and it is quite nice. I have experimented with the DNSBL system and it breaks a lot of websites that the PC/laptop software doesn't but it really helps the tablet/chromebook systems. If I could run it just for the problemsystems I'd do that. I could set the PCs and laptops to not use pfSense for DNS but that would make local name resolution a lot more work.

I'm new at this sort of thing but I hope to figure out something that will work for me that won't eat a lot of hours or require a lot of hand-holding for users that hit glitches.

BBcan177

@stan-qaz:

I have experimented with the DNSBL system and it breaks a lot of websites that the PC/laptop software doesn't but it really helps the tablet/chromebook systems.

Review the Alerts Tab and Whitelist the Domains that are causing issues…. You can also F12 in the Browser to load Dev Mode, and goto "Console" to see what's being blocked...  Once you weed out the FPs, you should be fine...

tushar

I would say pfblockerNG working now as it looks to me. blocking ADs mostly and DNS Lookup also working for blocked lists on 127.0.0.1.

here some screenshot for config i did please correct me where ever im wrong.  :)

BBcan177

You only enabled the one Easylist Feed in the EasyList Tab… click the "Add" button to add the second hardcoded EasyList Feed...  (EasyList and EasyPrivacy)

EasyList Feeds are not 100% compatible with DNSBL.... DNSBL requires the Domain to be able to block the DNS request.... ADBlock can manipulate the HTML on a webpage and remove ADverts that way.... So this is why I have only hardcoded the two EasyList Feeds.... I may add some of the other Language specific EasyList feeds in future as time permits.... But the fanboy feed is not compatible at all.... Just open that Feed in your browser and you will see what I mean....

BBcan177

Click the blue Infoblock Icon in the DNSBL Feeds Tab when editing a "Group"….

The "DNSBL Settings" infoblock has this text:

Note:  AdBlock Easylists cannot be used in this Tab.