4. DNSBL stops working when pfsense is a forwarder

DNSBL stops working when pfsense is a forwarder

  • N

    So, here's my current configuration:

    1: MS AD/DNS/DHCP server
    2: pfSense gateway/firewall/ubound/pfblockerng
    3: Cloudflare DNS/HTTPS server

    • All incoming/outgoing DNS is blocked on all gateways. Only HTTPS traffic is allowed to escape. Internal DNS (port 53) is allowed.
    • I've had pfSense be the main DNS server but things like reverse DNS, AD Integrated DNS, dynamic secure updates, etc… end up having issues. So it's best if I leave the MS AD/DNS/DHCP server as the main.

    Here's a sketch for some visuals.
    https://i.imgur.com/njamQSx.png

    I currently have pfsense set as the only forwarder for MS DNS and the DoH host is set as a forwarder on unbound. I'm hoping that DNS requests that aren't related to the domain are pulled from DoH, filtered through pfblockerng/dnsbl, and delivered to the clients. But this is where it all goes wrong…. I am resolving DNS requests as expected and after doing packet captures I see that pfsense is indeed working with DoH to resolve non-authoritative queries. But pfblockerng/dnsbl just sits there and drools. I don't see any ads being blocked, nothing in pfblockerng alerts, etc…

    * I'm not too worried about performance. Once you hit a site, it's cached. Next queries are almost instant.

    Here's my config (LAN IPs have been obfuscated. They are actually in the 10.100.0.0/16 range):

    
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 1
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# Interface IP(s) to bind to
interface: 10.10.10.1
interface: 2602:xxxx:xxxx:xxxx::1
interface: 127.0.0.1
interface: ::1

# Outgoing interfaces to be used
outgoing-interface: 10.10.10.1
outgoing-interface: 2602:xxxx:xxxx:xxxx::1
outgoing-interface: 127.0.0.1
outgoing-interface: ::1

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf

# Unbound custom options
server:include: /var/unbound/pfb_dnsbl.*conf

forward-zone:
      name: "example.org"
      forward-addr: 10.10.10.20
      forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

forward-zone:
      name: "."
      forward-addr: 10.10.10.35
      forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf
    0
  • P

    You have to choose DNS resolver and then check forwarding. If you choose DNS Forwarder, you dont use unbound but dnsmasq.

    pfadmin

    0
  • N

    I'm using the DNS resolver already. And instead of checking the forward box, I've specified custom forward parameters.

    0

  • Did you change DNSBL VIP? By default it's 10.10.10.1.

    0
  • N

    Nope, still the default. And I've configured the firewall rules. If I browse to the ip, I see the 1x1 pixel gif.

    0

  • Virtual IP Address

    This address should be in an Isolated Range that is not used in your Network.
    Rejected DNS Requests will be forwarded to this VIP (Virtual IP)
    RFC1918 Compliant - (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
    Changes to the DNSBL VIP will require a Force Reload - DNSBL to take effect.

    0
    N
     1 Reply
  • N

    @ronpfs Oh, that is actually not a problem. I changed all the IPs in the config to 10.10.10.x for obfuscation. My LAN/VLANs all use the 10.100.0.0/16 range. So the VIP being on 10.10.10.1 isn't an issue.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy