Big UNBOUND problem with PFBlockerNG



  • OK, I've been struggling ton the -p1 release of 2.3.4 with UNBOUND and PFBlockerNG.

    I've found that if you go to:  services > dns resolver > display custom options > the PFBlockerNG config file path and file is missing on the -p1 release.

    server:include: /var/unbound/pfb_dnsbl.conf

    IF you put it in > click "save" you get a big fat motha F'n error like this:

    The following input errors were detected:
    
        The generated config file cannot be parsed by unbound. Please correct the following errors:
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
        [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
    

    If you cat that file you see stuff like this:

    local-zone: "vg" redirect local-data: "vg 60 IN A 10.10.10.1"
    local-zone: "vg" redirect local-data: "vg 60 IN A 10.10.10.1"
    local-zone: "vi" redirect local-data: "vi 60 IN A 10.10.10.1"
    local-zone: "vi" redirect local-data: "vi 60 IN A 10.10.10.1"
    local-zone: "viajes" redirect local-data: "viajes 60 IN A 10.10.10.1"
    local-zone: "viajes" redirect local-data: "viajes 60 IN A 10.10.10.1"
    local-zone: "video" redirect local-data: "video 60 IN A 10.10.10.1"
    local-zone: "video" redirect local-data: "video 60 IN A 10.10.10.1"
    
    

    Now…why would it "double" all the records?  I have no clue!  This seems to be a bug.

    If I ssh into the box >

    cd /var/unbound
    mv pfb_dnsbl.conf
    cron update the pfblng
    

    …it rebuilds the conf file but then I get an all new error when trying to save that custom conf file:

    The following input errors were detected:
    
        The generated config file cannot be parsed by unbound. Please correct the following errors:
        [1501772178] unbound-checkconf[56676:0] error: local-data in redirect zone must reside at top of zone, not at 254.111.111.200.in-addr.arpa. PTR pfSense01.whatever.domain
        [1501772178] unbound-checkconf[56676:0] fatal error: failed local-zone, local-data configuration
    

    This is very irritating.  It ONLY happens when I use the "server:include: /var/unbound/pfb_dnsbl.conf" file in the "custom options" and this behavior does not do it on the -p1 release of 2.3.4.

    RELP RAGGY!  I'm still fiddling with it…I'm closer.

    Any relp?



  • HEY COMMUNITY!

    This is "fixed" if you just use this:  "include: /var/unbound/pfb_dnsbl.conf"

    They chanced the syntax from "server:include: /var/unbound…." to just using "include: /var/unbound...".

    That's the fix!

    Now...ONE MORE PROBLEM!  The TLD's are "broken" and the TLD's are not getting blocked.  I've confirmed this by blocking .ly <-- bit.ly works and I get this error in the log:

    Executing TLD
    Blocking full TLD/Sub-Domain(s)... |aaa|aarp|abarth|abb|abbott|abbvie|abc|able|abogado|abudhabi|ac|academy|accenture|accountant|accountants|aco|active|actor|ad|adac|ads|adult|ae|aeg|aero|aetna|af|afamilycompany|afl|ag|agakhan|agency|ai|aig|airbus|airforce|airtel|akdn|al|alfaromeo|alibaba|alipay|allfinanz|allstate|ally|alsace|alstom|am|americanfamily|amfam|amica|amsterdam|analytics|android|anquan|anz|ao|apartments|app|apple|aq|aquarelle|ar|aramco|archi|army|arpa|art|arte|as|asia|associates|at|athleta|attorney|au|auction|audi|audible|audio|author|auto|autos|avianca|aw|aws|ax|axa|az|azure|ba|baby|baidu|banamex|bananarepublic|band|bank|bar|barcelona|barclaycard|barclays|barefoot|bargains|bauhaus|bayern|bb|bbc|bbt|bbva|bcg|bcn|bd|beats|beauty|beer|bentley|berlin|best|bestbuy|bet|bf|bg|bh|bharti|bi|bible|bid|bike|bing|bingo|bio|biz|bj|black|blackfriday|blanco|blockbuster|blog|bloomberg|blue|bm|bms|bmw|bn|bnl|bnpparibas|bo|boats|boehringer|bofa|bom|bond|boo|book|booking|boots|bosch|bostik|bot|boutique|br|bradesco|bridgestone|broadway|broker|brother|brussels|bs|bt|budapest|bugatti|build|builders|business|buy|buzz|bv|bw|by|bz|bzh|cab|cafe|cal|call|calvinklein|cam|camera|camp|cancerresearch|canon|capetown|capital|car|caravan|cards|care|career|careers|cars|cartier|casa|cash|casino|cat|catering|cba|cbn|cbre|cbs|cc|cd|ceb|center|ceo|cern|cf|cfa|cfd|cg|ch|chanel|channel|chase|chat|cheap|chintai|chloe|christmas|chrome|chrysler|church|ci|cipriani|circle|cisco|citadel|citi|citic|city|cityeats|ck|cl|claims|cleaning|click|clinic|clinique|clothing|cloud|club|clubmed|cm|cn|co|coach|codes|coffee|college|cologne|comcast|commbank|community|company|compare|computer|comsec|condos|construction|consulting|contact|contractors|cooking|cookingchannel|cool|coop|corsica|country|coupon|coupons|courses|cr|credit|creditcard|creditunion|cricket|crown|crs|cruises|csc|cu|cuisinella|cv|cw|cx|cy|cymru|cyou|dabur|dad|dance|date|dating|datsun|day|dclk|dds|deal|dealer|deals|degree|delivery|dell|deloitte|delta|democrat|dental|dentist|desi|design|dev|dhl|diamonds|diet|digital|direct|directory|discount|discover|dj|dk|dm|dnp|do|docs|doctor|dodge|dog|doha|domains|dot|download|drive|dtv|dubai|duck|dunlop|duns|dupont|durban|dvag|dz|earth|eat|ec|edeka|education|ee|eg|email|emerck|energy|engineer|engineering|enterprises|epost|epson|equipment|er|ericsson|erni|es|esq|estate|esurance|et|eurovision|eus|events|everbank|exchange|expert|exposed|express|extraspace|fage|fail|fairwinds|faith|family|fan|fans|farm|farmers|fashion|fast|fedex|feedback|ferrari|ferrero|fi|fiat|fidelity|film|final|finance|financial|fire|firestone|firmdale|fish|fishing|fit|fitness|fj|fk|flickr|flights|flir|florist|flowers|fly|fm|fo|foo|foodnetwork|football|ford|forex|forsale|forum|foundation|fox|fresenius|frl|frogans|frontdoor|frontier|ftr|fujitsu|fujixerox|fund|furniture|futbol|fyi|ga|gal|gallery|gallo|gallup|game|games|gap|garden|gb|gbiz|gd|gdn|ge|gea|gent|genting|gf|gg|ggee|gh|gi|gift|gifts|gives|giving|gl|glade|glass|gle|global|globo|gm|gmail|gmbh|gmo|gmx|gn|godaddy|gold|goldpoint|golf|goo|goodhands|goodyear|goog|google|gop|got|gp|gq|gr|grainger|graphics|gratis|green|gripe|group|gs|gt|gu|guardian|gucci|guge|guide|guitars|guru|gw|gy|hamburg|hangout|haus|hdfcbank|health|healthcare|help|helsinki|here|hermes|hgtv|hiphop|hisamitsu|hitachi|hiv|hk|hkt|hm|hn|hockey|holdings|holiday|homedepot|homegoods|homes|homesense|honda|honeywell|horse|host|hosting|hoteles|hotmail|house|how|hr|hsbc|ht|htc|hu|hyatt|hyundai|ibm|icbc|ice|icu|id|ie|ieee|ifm|iinet|ikano|il|im|imamat|imdb|immo|immobilien|in|industries|infiniti|info|ing|ink|institute|insurance|insure|int|intel|international|intuit|investments|ipiranga|iq|ir|irish|is|iselect|ismaili|ist|istanbul|it|itau|itv|iwc|jaguar|java|jcb|jcp|je|jeep|jetzt|jewelry|jlc|jll|jm|jmp|jnj|jo|jobs|joburg|jot|joy|jpmorgan|jprs|juegos|juniper|kaufen|kddi|ke|kerryhotels|kerrylogistics|kerryproperties|kfh|kg|kh|ki|kia|kim|kinder|kindle|kitchen|kiwi|km|kn|koeln|komatsu|kosher|kp|kpmg|kpn|kr|krd|kred|kuokgroup|kw|ky|kyoto|kz|la|lacaixa|ladbrokes|lamborghini|lamer|lancaster|lancia|lancome|land|landrover|lanxess|lasalle|lat|latino|latrobe|law|lawyer|lb|lc|lds|lease|leclerc|lefrak|legal|lego|lexus|lgbt|li|liaison|lidl|life|lifeinsurance|lifestyle|lighting|like|lilly|limited|limo|lincoln|linde|link|lipsy|live|living|lixil|lk|loan|loans|locker|locus|loft|lol|london|lotte|lotto|love|lpl|lplfinancial|lr|ls|lt|ltd|ltda|lu|lundbeck|lupin|luxe|luxury|lv|ly|ma|macys|madrid|maif|maison|makeup|man|management|mango|market|marketing|markets|marriott|marshalls|maserati|mattel|mba|mc|mckinsey|md|me|med|media|meet|melbourne|meme|memorial|men|menu|meo|metlife|mg|mh|miami|microsoft|mil|mini|mint|mit|mitsubishi|mk|ml|mlb|mls|mm|mma|mn|mo|mobi|mobily|moda|moe|moi|mom|monash|money|montblanc|mopar|mormon|mortgage|moscow|motorcycles|mov|movie|movistar|mp|mq|mr|msd|mt|mtn|mtpc|mtr|mu|museum|mutual|mutuelle|mv|mw|mx|my|mz|na|nadex|nagoya|name|nationwide|natura|navy|nba|nc|ne|nec|netbank|netflix|network|neustar|new|news|next|nextdirect|nexus|nf|nfl|ng|ngo|nhk|ni|nico|nike|nikon|ninja|nissan|nissay|nl|no|nokia|northwesternmutual|norton|now|nowruz|nowtv|np|nr|nra|nrw|ntt|nu|nyc|nz|obi|off|office|okinawa|olayan|olayangroup|oldnavy|ollo|om|omega|one|ong|onl|online|onyourside|ooo|oracle|orange|organic|orientexpress|origins|osaka|otsuka|ott|ovh|pa|page|pamperedchef|panasonic|panerai|paris|pars|partners|parts|party|passagens|pccw|pe|pet|pf|pfizer|pg|ph|pharmacy|philips|photo|photography|photos|physio|piaget|pics|pictet|pictures|pid|pin|ping|pink|pioneer|pizza|pk|pl|place|play|playstation|plumbing|plus|pm|pn|pnc|pohl|poker|politie|porn|post|pr|pramerica|praxi|press|prime|pro|prod|productions|prof|progressive|promo|properties|property|protection|pru|prudential|ps|pt|pub|pw|pwc|py|qa|qpon|quebec|quest|qvc|racing|raid|re|read|realestate|realtor|realty|recipes|red|redstone|redumbrella|rehab|reise|reisen|reit|ren|rent|rentals|repair|report|republican|rest|restaurant|review|reviews|rexroth|rich|richardli|ricoh|rightathome|rio|rip|ro|rocher|rocks|rodeo|room|rs|rsvp|ru|ruhr|run|rw|rwe|ryukyu|sa|saarland|safe|safety|sakura|sale|salon|samsung|sandvik|sandvikcoromant|sanofi|sap|sapo|sarl|sas|save|saxo|sb|sbi|sbs|sc|sca|scb|schaeffler|schmidt|scholarships|school|schule|schwarz|science|scjohnson|scor|scot|sd|se|seat|security|seek|select|sener|services|ses|seven|sew|sex|sexy|sfr|sg|sh|shangrila|sharp|shaw|shell|shia|shiksha|shoes|shop|shopping|shouji|show|showtime|shriram|si|silk|sina|singles|site|sj|sk|ski|skin|sky|skype|sl|sm|smart|smile|sn|sncf|so|soccer|social|softbank|software|sohu|solar|solutions|song|sony|soy|space|spiegel|spot|spreadbetting|sr|srl|srt|st|stada|staples|star|starhub|statebank|statefarm|statoil|stc|stcgroup|stockholm|storage|store|stream|studio|study|style|su|sucks|supplies|supply|support|surf|surgery|suzuki|sv|swatch|swiftcover|swiss|sx|sy|sydney|symantec|systems|sz|tab|taipei|talk|taobao|target|tatamotors|tatar|tattoo|tax|taxi|tc|tci|td|tdk|team|tech|technology|tel|telecity|telefonica|temasek|tennis|teva|tf|tg|th|thd|theater|theatre|tiaa|tickets|tienda|tiffany|tips|tires|tirol|tj|tjmaxx|tjx|tk|tkmaxx|tl|tm|tmall|tn|to|today|tokyo|tools|top|toray|toshiba|total|tours|town|toyota|toys|tr|trade|trading|training|travel|travelchannel|travelers|travelersinsurance|trust|trv|tt|tube|tui|tunes|tushu|tv|tvs|tw|tz|ua|ubs|uconnect|ug|uk|unicom|university|uno|uol|ups|uy|uz|va|vacations|vana|vc|ve|vegas|ventures|verisign|versicherung|vet|vg|vi|viajes|video|vig|viking|villas|vin|vip|virgin|visa|vision|vista|vistaprint|viva|vivo|vlaanderen|vn|vodka|volkswagen|vote|voting|voto|voyage|vu|vuelos|wales|walter|wang|wanggou|warman|watch|watches|weather|weatherchannel|webcam|weber|website|wed|wedding|weibo|weir|wf|whoswho|wien|wiki|williamhill|win|windows|wine|winners|wme|wolterskluwer|woodside|work|works|world|ws|wtc|wtf|xbox|xerox|xfinity|xihuan|xin|xperia|xxx|xyz|yachts|yahoo|yamaxun|yandex|ye|yodobashi|yoga|yokohama|you|youtube|yt|yun|za|zappos|zara|zero|zip|zippo|zm|zone|zuerich|zw| completed
    TLD analysis. completed
    Finalizing TLD...  completed

    Original    Matches    Removed    Final

    77733      12903      45245      32488

    Validating database... completed [ 08/03/17 11:30:24 ]

    DNSBL enabled FAIL - restoring Unbound conf
    [1501774224] unbound-checkconf[17900:0] error: local-data in redirect zone must reside at top of zone, not at 254.111.111.200.in-addr.arpa.  PTR  pfSense01.whatever.domain
    [1501774224] unbound-checkconf[17900:0] fatal error: failed local-zone, local-data configuration
    

    This is a bit of an "unusual" config because my client has a local subnet NAT'd that's using a public IP LOL…their local subnet is 200.111.111.0/24.  I suspect this is borking the unbound-check.

    Thoughts?



  • OK!

    Chatted with BBCan <– donate $$$ to that guy!

    He suggested I pair down my TLD list and he was right.  I'm digging through it now.  Once I just listed the "aaa" TLD it passed validation:

    
    Executing TLD
     Blocking full TLD/Sub-Domain(s)... |aaa| completed
    TLD analysis. completed
    Finalizing TLD...  completed
     ----------------------------------------
     Original    Matches    Removed    Final     
     ----------------------------------------
     77733       16642      35594      42139     
     -----------------------------------------
    Validating database... completed [ 08/03/17 12:27:06 ]
    Reloading Unbound.... completed
    DNSBL update [ 42139 | PASSED  ]... completed [ 08/03/17 12:27:08 ]
    


  • I figured this out.

    In my TLD I'm blocking "arpa"…so when unbound tries to "validate" the TLD's I guess it gets blocked form doing a reverse lookup and it returns a block on the reverse lookup because it ends in ".arpa" LOL.

    I'll have to remove .arpa from my TLD block I guess.  I don't want to though.  If you're doing local DNS resolution for reverse lookups it will work because it'll look at your local servers for the answer and they'll answer it...they won't ever ask unbound on PFSense for this answer.  You'd only have a problem with the .arpa TLD if you used PFSense / Unbound as your sole DNS server.  That's not my case.

    Thanks!  Hope this helps someone!


Log in to reply