PfBlockerNG + DNSBL = NXDOMAIN



  • Hi everyone!

    Is there a way to tell pfBlockerNG to format the pfb_dnsbl.conf like this:

    local-zone: "152media.com" static
    
    

    rather than this:

    local-data: "152media.com 60 IN A 10.10.10.1"
    
    

    I want my DNS to return NXDOMAIN on filtered domains rather than a "wrong" IP address.

    Cheers



  • I've added```
    && /usr/bin/sed -i -e 's/."([^ ]+) ./local-zone: "\1" static/' /var/unbound/pfb_dnsbl.conf


  • Banned

    You realize that this "improvement" breaks the alerts logging plus will cause issue with browsers as well, right?



  • Apart from the original solution (returning 10.10.10.1 instead of NXDOMAIN) actually causing issues with browsers I haven't seen any problems so far. Which problems with browsers would that be?

    Regarding the alert logging: I don't need that. All I want to achieve is domain based blocking in the DNS, nothing more, nothing less ;)

    However, your answer made me think. Maybe pfBlockerNG is kind of an overkill solution to my problem. I could easily download the lists and compile a unbound configuration with a simple script instead…

    Regardless, I'd still like to know which "issues with browsers" you are referring to.


  • Banned

    I must be special, but I do NOT appreciate loads of "domain not found" errors in place of the blocked stuff. That's the whole point of the 1x1gif webserver.


  • Moderator

    The next version of the package will have the option to define "0.0.0.0" (No logging option) instead of the DNSBL VIP on a per Group basis…

    You could edit this file:  /usr/local/pkg/pfblockerng/pfblockerng.inc  Line #3594

    and change the line

    From:

    $domain_data .= "local-data: \"" . $line . " 60 IN A {$pfb['dnsbl_vip']}\"\n";
    

    To:

    $domain_data .= "local-data: \"" . $line . " 60 IN A 0.0.0.0\"\n";
    

    and follow that with a Force Reload - DNSBL.



  • the reason for the blank img method is some sites check for a 200 status.


Log in to reply