DNSBL/EasyList used to work – now does not
-
I know there are a ton of these threads, and I sincerely apologize. Likewise, I acknowledge that my ignorance of networking and its terminology may make it difficult to lend a hand.
Like the subject says, I cannot get the DNSBL function to work on pfBlockerNG. The annoying thing is that it WAS working previously – some other change must have caused it to stop working, and I cannot figure out what it was. Here are the facts:
-
pfSense version is 2.3.3, and pfBlockerNG is a fresh install as of today.
-
pfBlockerNG is the only package I have installed.
-
When I reinstalled pfBlockerNG today, I did NOT maintain settings. The idea here was to reconfigure it from scratch.
-
DNS Resolver is enabled.
-
DNS Forwarder is disabled.
-
DNSSEC = Enabled.
-
DNS Query Forwarding = Disabled.
-
DHCP Registration = Disabled.
-
Static DHCP = Disabled.
-
DNSBL is enabled in pfBlockerNG, with "Deny Both" list action.
-
I have configured DNSBL EasyList. I have two feed entries here, and all categories are selected in settings.
-
DNSBL - EasyList Settings has list action set to "Unbound", and Alexa whitelisting disabled.
-
Currently, I ONLY have EasyList configured. I no longer have any entries in the DNSBL Feeds tab.
-
Until I get this straightened out, I do not have IPv4 blocking engaged or configured.
-
All devices on my home network are on 192.168.1.XXX, with some devices having a static IP.
-
Almost all devices are connecting to WAN through OpenVPN (PIA). I've tested on both VPN and non-VPN devices.
I'm happy to provide any other information I can that may help here. Any assistance would be appreciated!
-
-
Can you ping the DNSBL VIP address from your LAN devices?
Can you browse to the DNSBL VIP address and get the 1x1 pixel?If the answer to the above is no, then you need to ensure that your LAN devices are using the pfSense Resolver for its DNS requests.
If you goto the Log Tab in pfBNG and view the DNSBL Feed… Find one domain and see if it replies with the DNSBL VIP...
host -t A ad-media.orgor
nslookup ad-media.org -
Can you ping the DNSBL VIP address from your LAN devices?
Can you browse to the DNSBL VIP address and get the 1x1 pixel?Yes to both.
-
If you goto the Log Tab in pfBNG and view the DNSBL Feed… Find one domain and see if it replies with the DNSBL VIP...
host -t A ad-media.orgor
nslookup ad-media.orgTo be completely honest, I am not sure what specific log I was supposed to be looking in. I went to Firewall / pfBlockerNG / Log Browser, and viewed the dnsbl.log file. There were no domains there, so I'm sure I was looking in the wrong place.
I'm not sure where I was supposed to execute that command, but I opened a command prompt on a system in this LAN, and entered "nslookup ad-media.org". This is what it returned:
DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 209.222.18.222 Non-authoritative answer: Name: ad-media.org Addresses: 2a01:238:20a:202:1068:: 81.169.145.68 -
Change the Log/File Type to: "DNSBL Files"
Then select the EasyList feed…. This will show what domains are listed.Then try those commands again... Be careful as some domains can be malicious, so don't browse to them.
If you have a domain listed in DNSBL, but the host or nslookup cmds don't reply back with the DNSBL VIP address, then you have some settings that are bypassing DNSBL/pfSense Resolver.
-
So I think I've had a moment of clarity here, thanks to your responses. I currently have Services / DHCP Server / LAN settings set to use PIA's DNS servers. This is what's overriding pfBNG, yeah?
I changed that setting and flushed the DNS for the LAN device I'm checking with, but it's still showing PIA's servers when I use nslookup on one of the EasyList domains. Should I give it time or try another command?
-
Set the DHCP server to serve the pfSense address so that DNSBL will pickup the request first… then any other DNS requests for an external domain can be resolved after that... I don't use OpenVPN, but there are lots of other threads out there to describe how to set that part up with DNSBL.
You might need to release/renew/flush the DHCP lease so it gets the correct DNS Servers on your LAN devices...
ipconfig /all -
Thanks! It's working now. nslookup on EasyList addresses returns the VIP address. Thanks so much!
This is a stupid question, I realize, but can you suggest what I should be searching for to find one of those threads? I've tried searching for two dozen or so variations on "(pfblockerng OR pfbng) designate dns servers without breaking dnsbl", but cannot find them. I realize this is because I'm uneducated to the point that I cannot determine what information I am specifically looking for.
-
set DNSBL IP Firewall Rule Settings>List Action>Deny outbounded instead of both
and remove any PIA DNS server ip from Services>DHCP Server>LANfor firewall rules, follow PIA pfsense guide, (go to end of page) https://www.privateinternetaccess.com/pages/client-support/pfsense
