DNSBL stops working when pfsense is a forwarder
-
So, here's my current configuration:
1: MS AD/DNS/DHCP server
2: pfSense gateway/firewall/ubound/pfblockerng
3: Cloudflare DNS/HTTPS server- All incoming/outgoing DNS is blocked on all gateways. Only HTTPS traffic is allowed to escape. Internal DNS (port 53) is allowed.
- I've had pfSense be the main DNS server but things like reverse DNS, AD Integrated DNS, dynamic secure updates, etc… end up having issues. So it's best if I leave the MS AD/DNS/DHCP server as the main.
Here's a sketch for some visuals.
https://i.imgur.com/njamQSx.pngI currently have pfsense set as the only forwarder for MS DNS and the DoH host is set as a forwarder on unbound. I'm hoping that DNS requests that aren't related to the domain are pulled from DoH, filtered through pfblockerng/dnsbl, and delivered to the clients. But this is where it all goes wrong…. I am resolving DNS requests as expected and after doing packet captures I see that pfsense is indeed working with DoH to resolve non-authoritative queries. But pfblockerng/dnsbl just sits there and drools. I don't see any ads being blocked, nothing in pfblockerng alerts, etc…
* I'm not too worried about performance. Once you hit a site, it's cached. Next queries are almost instant.
Here's my config (LAN IPs have been obfuscated. They are actually in the 10.100.0.0/16 range):
########################## # Unbound Configuration ########################## ## # Server configuration ## server: chroot: /var/unbound username: "unbound" directory: "/var/unbound" pidfile: "/var/run/unbound.pid" use-syslog: yes port: 53 verbosity: 2 hide-identity: yes hide-version: yes harden-glue: yes do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes module-config: "validator iterator" unwanted-reply-threshold: 0 num-queries-per-thread: 512 jostle-timeout: 200 infra-host-ttl: 900 infra-cache-numhosts: 10000 outgoing-num-tcp: 10 incoming-num-tcp: 10 edns-buffer-size: 4096 cache-max-ttl: 86400 cache-min-ttl: 0 harden-dnssec-stripped: yes msg-cache-size: 4m rrset-cache-size: 8m num-threads: 1 msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 outgoing-range: 4096 #so-rcvbuf: 4m auto-trust-anchor-file: /var/unbound/root.key prefetch: yes prefetch-key: yes use-caps-for-id: no serve-expired: no # Statistics # Unbound Statistics statistics-interval: 0 extended-statistics: yes statistics-cumulative: yes # Interface IP(s) to bind to interface: 10.10.10.1 interface: 2602:xxxx:xxxx:xxxx::1 interface: 127.0.0.1 interface: ::1 # Outgoing interfaces to be used outgoing-interface: 10.10.10.1 outgoing-interface: 2602:xxxx:xxxx:xxxx::1 outgoing-interface: 127.0.0.1 outgoing-interface: ::1 # DNS Rebinding # For DNS Rebinding prevention private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 169.254.0.0/16 private-address: 192.168.0.0/16 private-address: fd00::/8 private-address: fe80::/10 # Access lists include: /var/unbound/access_lists.conf # Static host entries include: /var/unbound/host_entries.conf # dhcp lease entries include: /var/unbound/dhcpleases_entries.conf # Domain overrides include: /var/unbound/domainoverrides.conf # Unbound custom options server:include: /var/unbound/pfb_dnsbl.*conf forward-zone: name: "example.org" forward-addr: 10.10.10.20 forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx forward-zone: name: "." forward-addr: 10.10.10.35 forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ### # Remote Control Config ### include: /var/unbound/remotecontrol.conf -
You have to choose DNS resolver and then check forwarding. If you choose DNS Forwarder, you dont use unbound but dnsmasq.
pfadmin
-
I'm using the DNS resolver already. And instead of checking the forward box, I've specified custom forward parameters.
-
Did you change DNSBL VIP? By default it's 10.10.10.1.
-
Nope, still the default. And I've configured the firewall rules. If I browse to the ip, I see the 1x1 pixel gif.
-
Virtual IP Address
This address should be in an Isolated Range that is not used in your Network.
Rejected DNS Requests will be forwarded to this VIP (Virtual IP)
RFC1918 Compliant - (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
Changes to the DNSBL VIP will require a Force Reload - DNSBL to take effect. -
@ronpfs Oh, that is actually not a problem. I changed all the IPs in the config to 10.10.10.x for obfuscation. My LAN/VLANs all use the 10.100.0.0/16 range. So the VIP being on 10.10.10.1 isn't an issue.
