EasyList Alias missing upon setup



  • Greetings -

    So I believe that I setup pfBlockerNG properly using the guides provided here in the forum.  However the only thing that doesn't seem to be working is EasyList ad blocking, and I think it is because I am missing a firewall alias specific for it.

    I have checked the logs and my system shows that it has downloaded two EasyList Header files; one that is an IP list of 20 IPs, and another that is a txt flie containing 4,000 plus domain names.

    A firewall alias was created for the IP list (pfB_DNSBLIP), but I see no firewall alias or rule that would use the text file containing the 4,000 plus domains.  On my dashboard widget I do see a listing under aliases for DNSBL_EasyList, however it does not show a pop-up diplaying the underlying list like the other aliases do.

    I think all I need to do is create a formal alias for the EasyList, but wanted to check with the list to confirm this, and ask if there was any quirks I should be aware of when creating this.  Or, am I entirely off base and I need to do something else completely different.

    Thanks,
    Jeff


  • Moderator

    DNSBL and EasyList are "Domain" based… They do not create Firewall Rules or Aliases... This is why the Widget doesn't show a popup like the IP based Aliases...

    DNSBL has a DNSBL_IP option, that collects any IPs found in the DNSBL Domain based Feeds, and creates an IP Alias and associated firewall rule(s)...

    DNSBL utilizes the Unbound Resolver for its blocking...



  • Ok, that explains everything that I am seeing, and it appears to be correct.

    I have my dns (unbound) resolver turned on and it seems to be resolving my local and external addresses properly.

    I guess I need to figure out a simple way to determine if EasyList is working properly.  Probably check an obvious domain listed on EasyList and see what happens.

    Thanks,
    Jeff


  • Moderator

    Goto the Log Browser Tab, and you can view the DNSBL lists… then try nslookup those domains... Should resolve to the DNSBL VIP....

    Anything that is blocked should show in the Alerts Tab... (Browser based activity only)...



  • Ok, so I believe that I have a DNS puzzle that I need to solve.  None of the domains on the block list resolve to the DNSBL virtual IP, although it shows that they should be directed there looking at the list in the log browser.  Also the only thing showing in my Alerts tab is the few country blocks that I have setup.

    I think my DNS puzzle is an artifact of my network configuration.  Since long before I set up my pfSense box as the network gateway / firewall, I have had my network DNS / DHCP service running on a CentOS 6 virtual machine using dnsmasq (192.168.112.51).  The pfSense box has the DNS (Unbound) Resolver turned on, and it works to resolve external addresses.

    In the pfSense System/General Settings I have four dns servers listed in the following order, the dnsmasq box, two from my upstream service provider, then a Google public DNS server.  Under System/General Settings when I check the box identified as Disable DNS Forwarder, I am able to resolve my internal lan boxes (and external addresses).  If I uncheck this same setting it adds 127.0.0.1 to the top of my dns resolver list and I no longer can resolve my internal lan addresses (but still resolve external addresses), presumably because resolving stops at local host for local addresses and does not forward the request on to my dnsmasq box.

    I tried an nslookup on one of the sites with the Disable DNS Forwarded box unchecked and got the following response.

    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: camsitecash.com
    Address: 185.13.90.140

    With the Disable DNS Forwarded box checked, I get the following response.

    Server: 192.168.112.51
    Address: 192.168.112.51#53

    Non-authoritative answer:
    Name: camsitecash.com
    Address: 185.13.90.140

    Neither options seems to resolve to the DNSBL virtual IP.  So I am in a quandry regarding how to solve this.  My goal would be to be able to have my pfSense box show that it resolves the local lan addresses, while also being able to resolve the EasyList sites to the DNSBL virtual IP (i.e., blocking works).  Anyone have any ideas for me to try?  Thanks.

    Jeff


  • Moderator

    If you still have an internal DNS server on the Centos (Shouldn't need it since that can be done in pfSense), then you need to set the LAN devices to point to the Centos, and then have the Centos "External forwarder" set to pfSense Resolver. This way the resolver will fiter the DNS requests with DNSBL.

    It would make the most sense, to have all the Lan Devices point to pfSense only for its DNS.

    You can use the Resolver in "Resolver mode", meaning it will use the Root DNS servers for resolution, so it doesn't matter what is defined in the pfSense General Tab. However, when using the Resolver in "Resolver mode", its best to have the General Settings defined as 127.0.0.1, so that any DNS request from the pfSense box itself, is directed to the DNS resolver…

    You can also set the Resolver to be in "Forwarder mode", and this will utilize the DNS servers that are configured in the General Tab.

    I would recommend to use the Resolver in Resolver mode, and enable DNSSEC...

    From any LAN device, you should be able to ping the DNSBL VIP, and get a reply. You should also be able to browse to the DNSBL VIP and get a 1x1 pix.

    If you have a multi-segmented LAN, you might also need to enable the DNSBL Permit firewall rule option in the DNSBL tab, to allow the other LAN segments to access the DNSBL VIP on the LAN network.



  • Ok, I have to put out another fire today, but I did a quick test and one of my LAN Window boxes can ping the DNSBL VIP.  And also browsing to it gets the 1x1 pix.  So that is good.  I don't really have the time to put into switching my DNS from the CentOS box to pfSense (but I can understand the reason for doing so).  So I am going to have to make them work together.  I will look into your other suggestions over the weekend.  Thanks.

    Jeff



  • Ok, I am getting close on this, but am still puzzled about what is happening.  The Windows boxes on my lan have their DNS reference pointing to the dnsmasq box (192.168.112.51), and the dnsmasq box only has the pfSense gateway/firewall box (192.168.112.11) listed in its /etc/resolve.conf file, and therefore is fowarding all DNS queries to the pfSense box.  The pfSense box has DNS resolver enabled.  In the System/General Setup there are two upstream DNS servers from my provider, and one public DNS server from Google.  The Disable DNS Forwarder box on the General Setup page is not checked.  Therefore 127.0.0.1 shows as the first DNS server on the dashboard page.

    The EasyList sites are blocked when queried from the pfSense box.
    nslookup ad.doubleclick.net
    Server: 127.0.0.1
    Address: 127.0.0.1#53
    Name: ad.doubleclick.net
    Address: 10.10.10.1

    If I query the same site from a test Linux box on the local network I get the same results.
    [root@disect ~]# nslookup ad.doubleclick.net
    Server:        192.168.112.51
    Address:        192.168.112.51#53
    Name:  ad.doubleclick.net
    Address: 10.10.10.1

    If I query the same site from a Windows box on the local network I get a different result.  I even made sure to flush the Windows dns cache before doing the query.
    C:\Users\jeffb> nslookup ad.doubleclick.net
    Server:  taxa.mei.lan
    Address:  192.168.112.51
    Name:    dart.l.doubleclick.net
    Address:  216.58.216.134
    Aliases:  ad.doubleclick.net

    So I started a Wireshark trace on the Windows box to see what was happening.  Below is the summary of the final two sets of packets from the query and response exchange.

    1267 6.512617000 192.168.112.101 192.168.112.51 DNS 78 Standard query 0x0004  A ad.doubleclick.net
    1269 6.513636000 192.168.112.51 192.168.112.101 DNS 94 Standard query response 0x0004  A 10.10.10.1

    1271 6.524775000 192.168.112.101 192.168.112.51 DNS 78 Standard query 0x0005  AAAA ad.doubleclick.net
    1273 6.525384000 192.168.112.51 192.168.112.101 DNS 78 Standard query response 0x0005

    A traceroute to ad.doubleclick.net from the Windows box shows that it initially goes to the pfSense box, then goes out to an IP of my upstream provider, then on to obtain the correct DNS number.

    From the Wireshark data it appears that DNS is returning the virtual IP of 10.10.10.1 for the DNS block list.  Searching the Wireshark data I can not see the address that the Windows box is showing at the command line response to the nslookup (216.58.216.134) anywhere.  So I don't understand why the Windows box is getting the correct DNS address for this site, while a Linux box on the lan, and the pfSense box are both returning the virtual IP for the block list.  What else should I be looking for, or looking at?  Thanks.

    Jeff