DNSBL stops working when pfsense is a forwarder



  • So, here's my current configuration:

    1: MS AD/DNS/DHCP server
    2: pfSense gateway/firewall/ubound/pfblockerng
    3: Cloudflare DNS/HTTPS server

    • All incoming/outgoing DNS is blocked on all gateways. Only HTTPS traffic is allowed to escape. Internal DNS (port 53) is allowed.
    • I've had pfSense be the main DNS server but things like reverse DNS, AD Integrated DNS, dynamic secure updates, etc… end up having issues. So it's best if I leave the MS AD/DNS/DHCP server as the main.

    Here's a sketch for some visuals.
    https://i.imgur.com/njamQSx.png

    I currently have pfsense set as the only forwarder for MS DNS and the DoH host is set as a forwarder on unbound. I'm hoping that DNS requests that aren't related to the domain are pulled from DoH, filtered through pfblockerng/dnsbl, and delivered to the clients. But this is where it all goes wrong…. I am resolving DNS requests as expected and after doing packet captures I see that pfsense is indeed working with DoH to resolve non-authoritative queries. But pfblockerng/dnsbl just sits there and drools. I don't see any ads being blocked, nothing in pfblockerng alerts, etc…

    * I'm not too worried about performance. Once you hit a site, it's cached. Next queries are almost instant.

    Here's my config (LAN IPs have been obfuscated. They are actually in the 10.100.0.0/16 range):

    
    ##########################
    # Unbound Configuration
    ##########################
    
    ##
    # Server configuration
    ##
    server:
    
    chroot: /var/unbound
    username: "unbound"
    directory: "/var/unbound"
    pidfile: "/var/run/unbound.pid"
    use-syslog: yes
    port: 53
    verbosity: 2
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    module-config: "validator iterator"
    unwanted-reply-threshold: 0
    num-queries-per-thread: 512
    jostle-timeout: 200
    infra-host-ttl: 900
    infra-cache-numhosts: 10000
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    edns-buffer-size: 4096
    cache-max-ttl: 86400
    cache-min-ttl: 0
    harden-dnssec-stripped: yes
    msg-cache-size: 4m
    rrset-cache-size: 8m
    
    num-threads: 1
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    outgoing-range: 4096
    #so-rcvbuf: 4m
    auto-trust-anchor-file: /var/unbound/root.key
    prefetch: yes
    prefetch-key: yes
    use-caps-for-id: no
    serve-expired: no
    # Statistics
    # Unbound Statistics
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: yes
    
    # Interface IP(s) to bind to
    interface: 10.10.10.1
    interface: 2602:xxxx:xxxx:xxxx::1
    interface: 127.0.0.1
    interface: ::1
    
    # Outgoing interfaces to be used
    outgoing-interface: 10.10.10.1
    outgoing-interface: 2602:xxxx:xxxx:xxxx::1
    outgoing-interface: 127.0.0.1
    outgoing-interface: ::1
    
    # DNS Rebinding
    # For DNS Rebinding prevention
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 169.254.0.0/16
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    
    # Access lists
    include: /var/unbound/access_lists.conf
    
    # Static host entries
    include: /var/unbound/host_entries.conf
    
    # dhcp lease entries
    include: /var/unbound/dhcpleases_entries.conf
    
    # Domain overrides
    include: /var/unbound/domainoverrides.conf
    
    # Unbound custom options
    server:include: /var/unbound/pfb_dnsbl.*conf
    
    forward-zone:
          name: "example.org"
          forward-addr: 10.10.10.20
          forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    
    forward-zone:
          name: "."
          forward-addr: 10.10.10.35
          forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    
    ###
    # Remote Control Config
    ###
    include: /var/unbound/remotecontrol.conf
    
    


  • You have to choose DNS resolver and then check forwarding. If you choose DNS Forwarder, you dont use unbound but dnsmasq.

    pfadmin



  • I'm using the DNS resolver already. And instead of checking the forward box, I've specified custom forward parameters.



  • Did you change DNSBL VIP? By default it's 10.10.10.1.



  • Nope, still the default. And I've configured the firewall rules. If I browse to the ip, I see the 1x1 pixel gif.



  • Virtual IP Address

    This address should be in an Isolated Range that is not used in your Network.
    Rejected DNS Requests will be forwarded to this VIP (Virtual IP)
    RFC1918 Compliant - (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
    Changes to the DNSBL VIP will require a Force Reload - DNSBL to take effect.



  • @ronpfs Oh, that is actually not a problem. I changed all the IPs in the config to 10.10.10.x for obfuscation. My LAN/VLANs all use the 10.100.0.0/16 range. So the VIP being on 10.10.10.1 isn't an issue.