Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Secure, Hardened and Private pfSense configuration(with pfBlockerNG DNSBL)

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 2 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      BBcan177/pfBlocker fans,
      I must compliment you on a great package…at one point, when I had it working it was great but unfortunately as I have added rules and features to my configuration I have been unable to get it going again. I am looking to remove the OpenDNS IPs. The pfSense forum has been great in helping me move forward to a Secure, Hardened and Private pfSense configuration but I am having a hard time getting my DNSBL working. I followed these instructions: https://forum.pfsense.org/index.php?topic=102470.msg572943#msg572943 but no luck.

      My configuration is as follows:
      a) A Box with 4 actual networks (WAN, LAN, WIFI access point and AppleTV/Netflix box)
      b) VLAN on my WIFI for guests
      c) OpenVPN Interface to internet for WIFI and GuestVLAN
      d) LAN is dedicated for webGUI only (No internet access)
      e) Running 2.4 beta

      Variables I am juggling:

      1. I am using OpenDNS as my IPs to connect to the web, I have those inputed in:
        a) Services -> DHCP Server -> “Internal Interfaces” -> Servers -> DNS servers (In all my interfaces)
        b) System -> General Setup -> DNS Server Settings

      2. I have a OpenVPN(and VPN service provider) which I connect to the web:
        a) Would like to not have any DNS leaks

      3. I Have my DNS resolver on:
        a) Services ->DNS Resolver ->General Settings -> Enabled
        b) Network Interfaces -> All
        c) Outgoing Network Interfaces -> All

      4. In System -> General Setup
        a) DNS Server Override is checked
        b) Disable DNS Forwarder is NOT checked

      5. I have a rule  that blocks RFC_1918_nets
        a) 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
        b) I have this block rule on my WAN, LAN, AppleTV/Netflix, OpenVPN interface, WIFI and WIFI/guests VLAN interfaces

      6. Floating rule Blocking access to Firewall

      The DNSBL lists/rules download but I get no alerts and ads, pfBlockerNG geoIP is blocking countries but DNSBL is not showing alerts….any thoughts or ideas?

      Sincerely,
      Severally Hacked(Velcro) :-\

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        @Velcro:

        1. I am using OpenVPN as my IPs to connect to the web

        Do you mean you are using the IPs of DNS servers hosted by your VPN provider?

        @Velcro:

        1. I have a VPN which I connect to the web:
          a) Would like to not have any DNS leaks

        You can achieve this by using the Unbound in resolver only mode and selecting your VPN interface as the exit gateway. This would be more secure than using a DNS provider as it cuts out the third party. Do this by chanigng the following settings in bold.

        @Velcro:

        1. I am using OpenVPN as my IPs to connect to the web, I have those inputed in:
          a) Services -> DHCP Server -> “Internal Interfaces” -> Servers -> no entries here
          b) System -> General Setup -> DNS Server Settings no entries here

        …

        1. I Have my DNS resolver on:
          a) Services ->DNS Resolver ->General Settings -> Enabled
          b) Network Interfaces -> All
          c) Outgoing Network Interfaces -> only your VPN client interface

        2. In System -> General Setup
          a) DNS Server Override is notchecked
          b) Disable DNS Forwarder is checked

        1 Reply Last reply Reply Quote 0
        • V
          Velcro
          last edited by

          Is there a way I can send you some beers?*****
          *Assuming you are over 21, on my continent and no export issues!

          @pfBasic:

          @Velcro:

          1. I am using OpenVPN as my IPs to connect to the web

          Do you mean you are using the IPs of DNS servers hosted by your VPN provider?

          pfBasic I caught my typo and went back and corrected the original, what I meant to say was:

          “1) I am using OpenDNS as my IPs to connect to the web, I have those inputed in…”

          @pfBasic:

          @Velcro:

          1. I have a VPN which I connect to the web:
            a) Would like to not have any DNS leaks

          You can achieve this by using the Unbound in resolver only mode and selecting your VPN interface as the exit gateway. This would be more secure than using a DNS provider as it cuts out the third party. Do this by chanigng the following settings in bold.

          @Velcro:

          1. I am using OpenVPN as my IPs to connect to the web, I have those inputed in:
            a) Services -> DHCP Server -> “Internal Interfaces” -> Servers -> no entries here
            b) System -> General Setup -> DNS Server Settings no entries here

          …

          1. I Have my DNS resolver on:
            a) Services ->DNS Resolver ->General Settings -> Enabled
            b) Network Interfaces -> All
            c) Outgoing Network Interfaces -> only your VPN client interface

          2. In System -> General Setup
            a) DNS Server Override is notchecked
            b) Disable DNS Forwarder is checked

          Awesome pfBlocker…I updated per above and did a DNS Leak Test…all good!

          My only concern is I still can’t get DNSBL to show alerts?? I am not sure if this adds more color to my issue but I also have the following settings:

          In Firewall ->pfBlockerNG ->General
          A) Inbound Firewall Rules : WAN, OpenVPN interface, WIFI and WIFI/guest VLAN interfaces selected (I am also OK if LAN, and AppleTV/Netflix were included)
          B) Outbound Firewall Rules : WAN and OpenVPN interface (pfBlocker I also added the WAN for my AppleTV)
          C) OpenVPN Interface -> checked??
          D) Floating rules -> checked

          Firewall -> pfBlockerNG ->DNSBL
          A) Enable DNSBL -> Checked
          B) DNSBL Firewall Rule -> All interfaces highlighted
          C) List Action -> Deny Outbound (Ideally I’d lie “Deny Both”)

          Services ->DNS Resolver -> General Settings
          A) Network Interfaces -> All
          B) Outgoing Network Interfaces -> Open VPN Interface

          Thanks again for any and all help!

          1 Reply Last reply Reply Quote 0
          • P
            pfBasic Banned
            last edited by

            @Velcro:

            Is there a way I can send you some beers?*****
            *Assuming you are over 21, on my continent and no export issues!

            Haha, thank you for the offer but I couldn't accept! The whole point (IMO) of contributing to this forum is to help improve the pfSense & FreeBSD projects that provide this service to us for free, by enabling more people to better utilize it. So if you want to give back, buy some pfSense t-shirts or send a donation over to the FreeBSD Foundation! https://www.pfsense.org/get-involved/

            @Velcro:

            My only concern is I still can’t get DNSBL to show alerts?

            In the info pane at the top of the DNSBL page it states:

            Note: DNSBL requires the DNS Resolver (Unbound) to be used as the DNS service.

            The last post that you updated your DNS settings should have set your system up to use Unbound in resolver mode only (the way it was previously configured you were forwarding your DNS requests to a third party DNS server). Try running a DNS check on a computer on your network that you want DNSBL configured on. On windows or linux you can run this in the command line

            
            nslookup google.com
            
            

            What does it say in the "Server:" and "Address:" Fields?
            If the return is your pfSense box, then you are using the Resolver, if not then it is an external DNS service and DNSBL won't work in that configuration.

            Also, what Feeds do you have configured? Are you using EasyList Feeds or Custom Feeds? What are your settings on those pages?
            What is your DNSBL Listening Interface?
            Look at the logs tab and check out the Log File dnsbl.log. Is there anything that looks relevant in there?

            1 Reply Last reply Reply Quote 0
            • P
              pfBasic Banned
              last edited by

              I forgot to mention, since you are hardening your system to defend against active attackers, securing your DNS queries is a very important piece of that. Unbound is a very secure resolver so I would recommend taking some time to familiarize yourself with it and optimizing and hardening its settings. By using Unbound, hardening it and only sending queries out through a VPN you are probably effectively impervious to DNS attacks from the massive majority of hacking. Check out this article and here are some suggestions for settings. https://calomel.org/unbound_dns.html

              Enable DNSSEC Support (this is authentication for your DNS queries to avoid spoofing attacks, kind of like SHA)

              NO Forwarding Mode
              NO DHCP Registration
              NO Static DHCP
              Hide Identity
              Hide Version
              Prefetch Support
              Prefetch DNS Key Support
              Harden DNSSEC Data

              You might be interested in the Unwanted Reply Threshold, but I've never used it and know nothing about it

              Experimental Bit 0x20 Support

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.