Secure, Hardened and Private pfSense configuration(with pfBlockerNG DNSBL)

Velcro

BBcan177/pfBlocker fans,
I must compliment you on a great package…at one point, when I had it working it was great but unfortunately as I have added rules and features to my configuration I have been unable to get it going again. I am looking to remove the OpenDNS IPs. The pfSense forum has been great in helping me move forward to a Secure, Hardened and Private pfSense configuration but I am having a hard time getting my DNSBL working. I followed these instructions: https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943 but no luck.

My configuration is as follows:
a) A Box with 4 actual networks (WAN, LAN, WIFI access point and AppleTV/Netflix box)
b) VLAN on my WIFI for guests
c) OpenVPN Interface to internet for WIFI and GuestVLAN
d) LAN is dedicated for webGUI only (No internet access)
e) Running 2.4 beta

Variables I am juggling:

1. I am using OpenDNS as my IPs to connect to the web, I have those inputed in:
   a) Services -> DHCP Server -> “Internal Interfaces” -> Servers -> DNS servers (In all my interfaces)
   b) System -> General Setup -> DNS Server Settings

2. I have a OpenVPN(and VPN service provider) which I connect to the web:
   a) Would like to not have any DNS leaks

3. I Have my DNS resolver on:
   a) Services ->DNS Resolver ->General Settings -> Enabled
   b) Network Interfaces -> All
   c) Outgoing Network Interfaces -> All

4. In System -> General Setup
   a) DNS Server Override is checked
   b) Disable DNS Forwarder is NOT checked

5. I have a rule  that blocks RFC_1918_nets
   a) 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
   b) I have this block rule on my WAN, LAN, AppleTV/Netflix, OpenVPN interface, WIFI and WIFI/guests VLAN interfaces

6. Floating rule Blocking access to Firewall

The DNSBL lists/rules download but I get no alerts and ads, pfBlockerNG geoIP is blocking countries but DNSBL is not showing alerts….any thoughts or ideas?

Sincerely,
Severally Hacked(Velcro) :-\

pfBasic

@Velcro:

1. I am using OpenVPN as my IPs to connect to the web

Do you mean you are using the IPs of DNS servers hosted by your VPN provider?

@Velcro:

2. I have a VPN which I connect to the web:
   a) Would like to not have any DNS leaks

You can achieve this by using the Unbound in resolver only mode and selecting your VPN interface as the exit gateway. This would be more secure than using a DNS provider as it cuts out the third party. Do this by chanigng the following settings in bold.

@Velcro:

1. I am using OpenVPN as my IPs to connect to the web, I have those inputed in:
   a) Services -> DHCP Server -> “Internal Interfaces” -> Servers -> no entries here
   b) System -> General Setup -> DNS Server Settings no entries here

…

3. I Have my DNS resolver on:
   a) Services ->DNS Resolver ->General Settings -> Enabled
   b) Network Interfaces -> All
   c) Outgoing Network Interfaces -> only your VPN client interface

4. In System -> General Setup
   a) DNS Server Override is notchecked
   b) Disable DNS Forwarder is checked

Velcro

Is there a way I can send you some beers?*****
*Assuming you are over 21, on my continent and no export issues!

@pfBasic:

@Velcro:

1. I am using OpenVPN as my IPs to connect to the web

Do you mean you are using the IPs of DNS servers hosted by your VPN provider?

pfBasic I caught my typo and went back and corrected the original, what I meant to say was:

“1) I am using OpenDNS as my IPs to connect to the web, I have those inputed in…”

@pfBasic:

@Velcro:

2. I have a VPN which I connect to the web:
   a) Would like to not have any DNS leaks

You can achieve this by using the Unbound in resolver only mode and selecting your VPN interface as the exit gateway. This would be more secure than using a DNS provider as it cuts out the third party. Do this by chanigng the following settings in bold.

@Velcro:

1. I am using OpenVPN as my IPs to connect to the web, I have those inputed in:
   a) Services -> DHCP Server -> “Internal Interfaces” -> Servers -> no entries here
   b) System -> General Setup -> DNS Server Settings no entries here

…

3. I Have my DNS resolver on:
   a) Services ->DNS Resolver ->General Settings -> Enabled
   b) Network Interfaces -> All
   c) Outgoing Network Interfaces -> only your VPN client interface

4. In System -> General Setup
   a) DNS Server Override is notchecked
   b) Disable DNS Forwarder is checked

Awesome pfBlocker…I updated per above and did a DNS Leak Test…all good!

My only concern is I still can’t get DNSBL to show alerts?? I am not sure if this adds more color to my issue but I also have the following settings:

In Firewall ->pfBlockerNG ->General
A) Inbound Firewall Rules : WAN, OpenVPN interface, WIFI and WIFI/guest VLAN interfaces selected (I am also OK if LAN, and AppleTV/Netflix were included)
B) Outbound Firewall Rules : WAN and OpenVPN interface (pfBlocker I also added the WAN for my AppleTV)
C) OpenVPN Interface -> checked??
D) Floating rules -> checked

Firewall -> pfBlockerNG ->DNSBL
A) Enable DNSBL -> Checked
B) DNSBL Firewall Rule -> All interfaces highlighted
C) List Action -> Deny Outbound (Ideally I’d lie “Deny Both”)

Services ->DNS Resolver -> General Settings
A) Network Interfaces -> All
B) Outgoing Network Interfaces -> Open VPN Interface

Thanks again for any and all help!

pfBasic

@Velcro:

Is there a way I can send you some beers?*****
*Assuming you are over 21, on my continent and no export issues!

Haha, thank you for the offer but I couldn't accept! The whole point (IMO) of contributing to this forum is to help improve the pfSense & FreeBSD projects that provide this service to us for free, by enabling more people to better utilize it. So if you want to give back, buy some pfSense t-shirts or send a donation over to the FreeBSD Foundation! https://www.pfsense.org/get-involved/

@Velcro:

My only concern is I still can’t get DNSBL to show alerts?

In the info pane at the top of the DNSBL page it states:

Note: DNSBL requires the DNS Resolver (Unbound) to be used as the DNS service.

The last post that you updated your DNS settings should have set your system up to use Unbound in resolver mode only (the way it was previously configured you were forwarding your DNS requests to a third party DNS server). Try running a DNS check on a computer on your network that you want DNSBL configured on. On windows or linux you can run this in the command line

nslookup google.com

What does it say in the "Server:" and "Address:" Fields?
If the return is your pfSense box, then you are using the Resolver, if not then it is an external DNS service and DNSBL won't work in that configuration.

Also, what Feeds do you have configured? Are you using EasyList Feeds or Custom Feeds? What are your settings on those pages?
What is your DNSBL Listening Interface?
Look at the logs tab and check out the Log File dnsbl.log. Is there anything that looks relevant in there?

pfBasic

I forgot to mention, since you are hardening your system to defend against active attackers, securing your DNS queries is a very important piece of that. Unbound is a very secure resolver so I would recommend taking some time to familiarize yourself with it and optimizing and hardening its settings. By using Unbound, hardening it and only sending queries out through a VPN you are probably effectively impervious to DNS attacks from the massive majority of hacking. Check out this article and here are some suggestions for settings. https://calomel.org/unbound_dns.html

Enable DNSSEC Support (this is authentication for your DNS queries to avoid spoofing attacks, kind of like SHA)

NO Forwarding Mode
NO DHCP Registration
NO Static DHCP
Hide Identity
Hide Version
Prefetch Support
Prefetch DNS Key Support
Harden DNSSEC Data

You might be interested in the Unwanted Reply Threshold, but I've never used it and know nothing about it

Experimental Bit 0x20 Support