Big UNBOUND problem with PFBlockerNG
-
OK, I've been struggling ton the -p1 release of 2.3.4 with UNBOUND and PFBlockerNG.
I've found that if you go to: services > dns resolver > display custom options > the PFBlockerNG config file path and file is missing on the -p1 release.
server:include: /var/unbound/pfb_dnsbl.conf
IF you put it in > click "save" you get a big fat motha F'n error like this:
The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone [1501771602] unbound-checkconf[11309:0] warning: duplicate local-zone
If you cat that file you see stuff like this:
local-zone: "vg" redirect local-data: "vg 60 IN A 10.10.10.1" local-zone: "vg" redirect local-data: "vg 60 IN A 10.10.10.1" local-zone: "vi" redirect local-data: "vi 60 IN A 10.10.10.1" local-zone: "vi" redirect local-data: "vi 60 IN A 10.10.10.1" local-zone: "viajes" redirect local-data: "viajes 60 IN A 10.10.10.1" local-zone: "viajes" redirect local-data: "viajes 60 IN A 10.10.10.1" local-zone: "video" redirect local-data: "video 60 IN A 10.10.10.1" local-zone: "video" redirect local-data: "video 60 IN A 10.10.10.1"
Now…why would it "double" all the records? I have no clue! This seems to be a bug.
If I ssh into the box >
cd /var/unbound mv pfb_dnsbl.conf cron update the pfblng
…it rebuilds the conf file but then I get an all new error when trying to save that custom conf file:
The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: [1501772178] unbound-checkconf[56676:0] error: local-data in redirect zone must reside at top of zone, not at 254.111.111.200.in-addr.arpa. PTR pfSense01.whatever.domain [1501772178] unbound-checkconf[56676:0] fatal error: failed local-zone, local-data configuration
This is very irritating. It ONLY happens when I use the "server:include: /var/unbound/pfb_dnsbl.conf" file in the "custom options" and this behavior does not do it on the -p1 release of 2.3.4.
RELP RAGGY! I'm still fiddling with it…I'm closer.
Any relp?
-
HEY COMMUNITY!
This is "fixed" if you just use this: "include: /var/unbound/pfb_dnsbl.conf"
They chanced the syntax from "server:include: /var/unbound…." to just using "include: /var/unbound...".
That's the fix!
Now...ONE MORE PROBLEM! The TLD's are "broken" and the TLD's are not getting blocked. I've confirmed this by blocking .ly <-- bit.ly works and I get this error in the log:
Executing TLD
Blocking full TLD/Sub-Domain(s)... |aaa|aarp|abarth|abb|abbott|abbvie|abc|able|abogado|abudhabi|ac|academy|accenture|accountant|accountants|aco|active|actor|ad|adac|ads|adult|ae|aeg|aero|aetna|af|afamilycompany|afl|ag|agakhan|agency|ai|aig|airbus|airforce|airtel|akdn|al|alfaromeo|alibaba|alipay|allfinanz|allstate|ally|alsace|alstom|am|americanfamily|amfam|amica|amsterdam|analytics|android|anquan|anz|ao|apartments|app|apple|aq|aquarelle|ar|aramco|archi|army|arpa|art|arte|as|asia|associates|at|athleta|attorney|au|auction|audi|audible|audio|author|auto|autos|avianca|aw|aws|ax|axa|az|azure|ba|baby|baidu|banamex|bananarepublic|band|bank|bar|barcelona|barclaycard|barclays|barefoot|bargains|bauhaus|bayern|bb|bbc|bbt|bbva|bcg|bcn|bd|beats|beauty|beer|bentley|berlin|best|bestbuy|bet|bf|bg|bh|bharti|bi|bible|bid|bike|bing|bingo|bio|biz|bj|black|blackfriday|blanco|blockbuster|blog|bloomberg|blue|bm|bms|bmw|bn|bnl|bnpparibas|bo|boats|boehringer|bofa|bom|bond|boo|book|booking|boots|bosch|bostik|bot|boutique|br|bradesco|bridgestone|broadway|broker|brother|brussels|bs|bt|budapest|bugatti|build|builders|business|buy|buzz|bv|bw|by|bz|bzh|cab|cafe|cal|call|calvinklein|cam|camera|camp|cancerresearch|canon|capetown|capital|car|caravan|cards|care|career|careers|cars|cartier|casa|cash|casino|cat|catering|cba|cbn|cbre|cbs|cc|cd|ceb|center|ceo|cern|cf|cfa|cfd|cg|ch|chanel|channel|chase|chat|cheap|chintai|chloe|christmas|chrome|chrysler|church|ci|cipriani|circle|cisco|citadel|citi|citic|city|cityeats|ck|cl|claims|cleaning|click|clinic|clinique|clothing|cloud|club|clubmed|cm|cn|co|coach|codes|coffee|college|cologne|comcast|commbank|community|company|compare|computer|comsec|condos|construction|consulting|contact|contractors|cooking|cookingchannel|cool|coop|corsica|country|coupon|coupons|courses|cr|credit|creditcard|creditunion|cricket|crown|crs|cruises|csc|cu|cuisinella|cv|cw|cx|cy|cymru|cyou|dabur|dad|dance|date|dating|datsun|day|dclk|dds|deal|dealer|deals|degree|delivery|dell|deloitte|delta|democrat|dental|dentist|desi|design|dev|dhl|diamonds|diet|digital|direct|directory|discount|discover|dj|dk|dm|dnp|do|docs|doctor|dodge|dog|doha|domains|dot|download|drive|dtv|dubai|duck|dunlop|duns|dupont|durban|dvag|dz|earth|eat|ec|edeka|education|ee|eg|email|emerck|energy|engineer|engineering|enterprises|epost|epson|equipment|er|ericsson|erni|es|esq|estate|esurance|et|eurovision|eus|events|everbank|exchange|expert|exposed|express|extraspace|fage|fail|fairwinds|faith|family|fan|fans|farm|farmers|fashion|fast|fedex|feedback|ferrari|ferrero|fi|fiat|fidelity|film|final|finance|financial|fire|firestone|firmdale|fish|fishing|fit|fitness|fj|fk|flickr|flights|flir|florist|flowers|fly|fm|fo|foo|foodnetwork|football|ford|forex|forsale|forum|foundation|fox|fresenius|frl|frogans|frontdoor|frontier|ftr|fujitsu|fujixerox|fund|furniture|futbol|fyi|ga|gal|gallery|gallo|gallup|game|games|gap|garden|gb|gbiz|gd|gdn|ge|gea|gent|genting|gf|gg|ggee|gh|gi|gift|gifts|gives|giving|gl|glade|glass|gle|global|globo|gm|gmail|gmbh|gmo|gmx|gn|godaddy|gold|goldpoint|golf|goo|goodhands|goodyear|goog|google|gop|got|gp|gq|gr|grainger|graphics|gratis|green|gripe|group|gs|gt|gu|guardian|gucci|guge|guide|guitars|guru|gw|gy|hamburg|hangout|haus|hdfcbank|health|healthcare|help|helsinki|here|hermes|hgtv|hiphop|hisamitsu|hitachi|hiv|hk|hkt|hm|hn|hockey|holdings|holiday|homedepot|homegoods|homes|homesense|honda|honeywell|horse|host|hosting|hoteles|hotmail|house|how|hr|hsbc|ht|htc|hu|hyatt|hyundai|ibm|icbc|ice|icu|id|ie|ieee|ifm|iinet|ikano|il|im|imamat|imdb|immo|immobilien|in|industries|infiniti|info|ing|ink|institute|insurance|insure|int|intel|international|intuit|investments|ipiranga|iq|ir|irish|is|iselect|ismaili|ist|istanbul|it|itau|itv|iwc|jaguar|java|jcb|jcp|je|jeep|jetzt|jewelry|jlc|jll|jm|jmp|jnj|jo|jobs|joburg|jot|joy|jpmorgan|jprs|juegos|juniper|kaufen|kddi|ke|kerryhotels|kerrylogistics|kerryproperties|kfh|kg|kh|ki|kia|kim|kinder|kindle|kitchen|kiwi|km|kn|koeln|komatsu|kosher|kp|kpmg|kpn|kr|krd|kred|kuokgroup|kw|ky|kyoto|kz|la|lacaixa|ladbrokes|lamborghini|lamer|lancaster|lancia|lancome|land|landrover|lanxess|lasalle|lat|latino|latrobe|law|lawyer|lb|lc|lds|lease|leclerc|lefrak|legal|lego|lexus|lgbt|li|liaison|lidl|life|lifeinsurance|lifestyle|lighting|like|lilly|limited|limo|lincoln|linde|link|lipsy|live|living|lixil|lk|loan|loans|locker|locus|loft|lol|london|lotte|lotto|love|lpl|lplfinancial|lr|ls|lt|ltd|ltda|lu|lundbeck|lupin|luxe|luxury|lv|ly|ma|macys|madrid|maif|maison|makeup|man|management|mango|market|marketing|markets|marriott|marshalls|maserati|mattel|mba|mc|mckinsey|md|me|med|media|meet|melbourne|meme|memorial|men|menu|meo|metlife|mg|mh|miami|microsoft|mil|mini|mint|mit|mitsubishi|mk|ml|mlb|mls|mm|mma|mn|mo|mobi|mobily|moda|moe|moi|mom|monash|money|montblanc|mopar|mormon|mortgage|moscow|motorcycles|mov|movie|movistar|mp|mq|mr|msd|mt|mtn|mtpc|mtr|mu|museum|mutual|mutuelle|mv|mw|mx|my|mz|na|nadex|nagoya|name|nationwide|natura|navy|nba|nc|ne|nec|netbank|netflix|network|neustar|new|news|next|nextdirect|nexus|nf|nfl|ng|ngo|nhk|ni|nico|nike|nikon|ninja|nissan|nissay|nl|no|nokia|northwesternmutual|norton|now|nowruz|nowtv|np|nr|nra|nrw|ntt|nu|nyc|nz|obi|off|office|okinawa|olayan|olayangroup|oldnavy|ollo|om|omega|one|ong|onl|online|onyourside|ooo|oracle|orange|organic|orientexpress|origins|osaka|otsuka|ott|ovh|pa|page|pamperedchef|panasonic|panerai|paris|pars|partners|parts|party|passagens|pccw|pe|pet|pf|pfizer|pg|ph|pharmacy|philips|photo|photography|photos|physio|piaget|pics|pictet|pictures|pid|pin|ping|pink|pioneer|pizza|pk|pl|place|play|playstation|plumbing|plus|pm|pn|pnc|pohl|poker|politie|porn|post|pr|pramerica|praxi|press|prime|pro|prod|productions|prof|progressive|promo|properties|property|protection|pru|prudential|ps|pt|pub|pw|pwc|py|qa|qpon|quebec|quest|qvc|racing|raid|re|read|realestate|realtor|realty|recipes|red|redstone|redumbrella|rehab|reise|reisen|reit|ren|rent|rentals|repair|report|republican|rest|restaurant|review|reviews|rexroth|rich|richardli|ricoh|rightathome|rio|rip|ro|rocher|rocks|rodeo|room|rs|rsvp|ru|ruhr|run|rw|rwe|ryukyu|sa|saarland|safe|safety|sakura|sale|salon|samsung|sandvik|sandvikcoromant|sanofi|sap|sapo|sarl|sas|save|saxo|sb|sbi|sbs|sc|sca|scb|schaeffler|schmidt|scholarships|school|schule|schwarz|science|scjohnson|scor|scot|sd|se|seat|security|seek|select|sener|services|ses|seven|sew|sex|sexy|sfr|sg|sh|shangrila|sharp|shaw|shell|shia|shiksha|shoes|shop|shopping|shouji|show|showtime|shriram|si|silk|sina|singles|site|sj|sk|ski|skin|sky|skype|sl|sm|smart|smile|sn|sncf|so|soccer|social|softbank|software|sohu|solar|solutions|song|sony|soy|space|spiegel|spot|spreadbetting|sr|srl|srt|st|stada|staples|star|starhub|statebank|statefarm|statoil|stc|stcgroup|stockholm|storage|store|stream|studio|study|style|su|sucks|supplies|supply|support|surf|surgery|suzuki|sv|swatch|swiftcover|swiss|sx|sy|sydney|symantec|systems|sz|tab|taipei|talk|taobao|target|tatamotors|tatar|tattoo|tax|taxi|tc|tci|td|tdk|team|tech|technology|tel|telecity|telefonica|temasek|tennis|teva|tf|tg|th|thd|theater|theatre|tiaa|tickets|tienda|tiffany|tips|tires|tirol|tj|tjmaxx|tjx|tk|tkmaxx|tl|tm|tmall|tn|to|today|tokyo|tools|top|toray|toshiba|total|tours|town|toyota|toys|tr|trade|trading|training|travel|travelchannel|travelers|travelersinsurance|trust|trv|tt|tube|tui|tunes|tushu|tv|tvs|tw|tz|ua|ubs|uconnect|ug|uk|unicom|university|uno|uol|ups|uy|uz|va|vacations|vana|vc|ve|vegas|ventures|verisign|versicherung|vet|vg|vi|viajes|video|vig|viking|villas|vin|vip|virgin|visa|vision|vista|vistaprint|viva|vivo|vlaanderen|vn|vodka|volkswagen|vote|voting|voto|voyage|vu|vuelos|wales|walter|wang|wanggou|warman|watch|watches|weather|weatherchannel|webcam|weber|website|wed|wedding|weibo|weir|wf|whoswho|wien|wiki|williamhill|win|windows|wine|winners|wme|wolterskluwer|woodside|work|works|world|ws|wtc|wtf|xbox|xerox|xfinity|xihuan|xin|xperia|xxx|xyz|yachts|yahoo|yamaxun|yandex|ye|yodobashi|yoga|yokohama|you|youtube|yt|yun|za|zappos|zara|zero|zip|zippo|zm|zone|zuerich|zw| completed
TLD analysis. completed
Finalizing TLD... completedOriginal Matches Removed Final
77733 12903 45245 32488
Validating database... completed [ 08/03/17 11:30:24 ]
DNSBL enabled FAIL - restoring Unbound conf [1501774224] unbound-checkconf[17900:0] error: local-data in redirect zone must reside at top of zone, not at 254.111.111.200.in-addr.arpa. PTR pfSense01.whatever.domain [1501774224] unbound-checkconf[17900:0] fatal error: failed local-zone, local-data configuration
This is a bit of an "unusual" config because my client has a local subnet NAT'd that's using a public IP LOL…their local subnet is 200.111.111.0/24. I suspect this is borking the unbound-check.
Thoughts?
-
OK!
Chatted with BBCan <– donate $$$ to that guy!
He suggested I pair down my TLD list and he was right. I'm digging through it now. Once I just listed the "aaa" TLD it passed validation:
Executing TLD Blocking full TLD/Sub-Domain(s)... |aaa| completed TLD analysis. completed Finalizing TLD... completed ---------------------------------------- Original Matches Removed Final ---------------------------------------- 77733 16642 35594 42139 ----------------------------------------- Validating database... completed [ 08/03/17 12:27:06 ] Reloading Unbound.... completed DNSBL update [ 42139 | PASSED ]... completed [ 08/03/17 12:27:08 ]
-
I figured this out.
In my TLD I'm blocking "arpa"…so when unbound tries to "validate" the TLD's I guess it gets blocked form doing a reverse lookup and it returns a block on the reverse lookup because it ends in ".arpa" LOL.
I'll have to remove .arpa from my TLD block I guess. I don't want to though. If you're doing local DNS resolution for reverse lookups it will work because it'll look at your local servers for the answer and they'll answer it...they won't ever ask unbound on PFSense for this answer. You'd only have a problem with the .arpa TLD if you used PFSense / Unbound as your sole DNS server. That's not my case.
Thanks! Hope this helps someone!