Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL stops working when pfsense is a forwarder

    Scheduled Pinned Locked Moved pfBlockerNG
    7 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nathan.snow
      last edited by nathan.snow

      So, here's my current configuration:

      1: MS AD/DNS/DHCP server
      2: pfSense gateway/firewall/ubound/pfblockerng
      3: Cloudflare DNS/HTTPS server

      • All incoming/outgoing DNS is blocked on all gateways. Only HTTPS traffic is allowed to escape. Internal DNS (port 53) is allowed.
      • I've had pfSense be the main DNS server but things like reverse DNS, AD Integrated DNS, dynamic secure updates, etc… end up having issues. So it's best if I leave the MS AD/DNS/DHCP server as the main.

      Here's a sketch for some visuals.
      https://i.imgur.com/njamQSx.png

      I currently have pfsense set as the only forwarder for MS DNS and the DoH host is set as a forwarder on unbound. I'm hoping that DNS requests that aren't related to the domain are pulled from DoH, filtered through pfblockerng/dnsbl, and delivered to the clients. But this is where it all goes wrong…. I am resolving DNS requests as expected and after doing packet captures I see that pfsense is indeed working with DoH to resolve non-authoritative queries. But pfblockerng/dnsbl just sits there and drools. I don't see any ads being blocked, nothing in pfblockerng alerts, etc…

      * I'm not too worried about performance. Once you hit a site, it's cached. Next queries are almost instant.

      Here's my config (LAN IPs have been obfuscated. They are actually in the 10.100.0.0/16 range):

      
      ##########################
      # Unbound Configuration
      ##########################
      
      ##
      # Server configuration
      ##
      server:
      
      chroot: /var/unbound
      username: "unbound"
      directory: "/var/unbound"
      pidfile: "/var/run/unbound.pid"
      use-syslog: yes
      port: 53
      verbosity: 2
      hide-identity: yes
      hide-version: yes
      harden-glue: yes
      do-ip4: yes
      do-ip6: yes
      do-udp: yes
      do-tcp: yes
      do-daemonize: yes
      module-config: "validator iterator"
      unwanted-reply-threshold: 0
      num-queries-per-thread: 512
      jostle-timeout: 200
      infra-host-ttl: 900
      infra-cache-numhosts: 10000
      outgoing-num-tcp: 10
      incoming-num-tcp: 10
      edns-buffer-size: 4096
      cache-max-ttl: 86400
      cache-min-ttl: 0
      harden-dnssec-stripped: yes
      msg-cache-size: 4m
      rrset-cache-size: 8m
      
      num-threads: 1
      msg-cache-slabs: 4
      rrset-cache-slabs: 4
      infra-cache-slabs: 4
      key-cache-slabs: 4
      outgoing-range: 4096
      #so-rcvbuf: 4m
      auto-trust-anchor-file: /var/unbound/root.key
      prefetch: yes
      prefetch-key: yes
      use-caps-for-id: no
      serve-expired: no
      # Statistics
      # Unbound Statistics
      statistics-interval: 0
      extended-statistics: yes
      statistics-cumulative: yes
      
      # Interface IP(s) to bind to
      interface: 10.10.10.1
      interface: 2602:xxxx:xxxx:xxxx::1
      interface: 127.0.0.1
      interface: ::1
      
      # Outgoing interfaces to be used
      outgoing-interface: 10.10.10.1
      outgoing-interface: 2602:xxxx:xxxx:xxxx::1
      outgoing-interface: 127.0.0.1
      outgoing-interface: ::1
      
      # DNS Rebinding
      # For DNS Rebinding prevention
      private-address: 10.0.0.0/8
      private-address: 172.16.0.0/12
      private-address: 169.254.0.0/16
      private-address: 192.168.0.0/16
      private-address: fd00::/8
      private-address: fe80::/10
      
      # Access lists
      include: /var/unbound/access_lists.conf
      
      # Static host entries
      include: /var/unbound/host_entries.conf
      
      # dhcp lease entries
      include: /var/unbound/dhcpleases_entries.conf
      
      # Domain overrides
      include: /var/unbound/domainoverrides.conf
      
      # Unbound custom options
      server:include: /var/unbound/pfb_dnsbl.*conf
      
      forward-zone:
            name: "example.org"
            forward-addr: 10.10.10.20
            forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
      
      forward-zone:
            name: "."
            forward-addr: 10.10.10.35
            forward-addr: 2602:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
      
      ###
      # Remote Control Config
      ###
      include: /var/unbound/remotecontrol.conf
      
      
      1 Reply Last reply Reply Quote 0
      • P
        pfadmin
        last edited by

        You have to choose DNS resolver and then check forwarding. If you choose DNS Forwarder, you dont use unbound but dnsmasq.

        pfadmin

        1 Reply Last reply Reply Quote 0
        • N
          nathan.snow
          last edited by

          I'm using the DNS resolver already. And instead of checking the forward box, I've specified custom forward parameters.

          1 Reply Last reply Reply Quote 0
          • RonpfSR
            RonpfS
            last edited by

            Did you change DNSBL VIP? By default it's 10.10.10.1.

            2.4.5-RELEASE-p1 (amd64)
            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

            1 Reply Last reply Reply Quote 0
            • N
              nathan.snow
              last edited by

              Nope, still the default. And I've configured the firewall rules. If I browse to the ip, I see the 1x1 pixel gif.

              1 Reply Last reply Reply Quote 0
              • RonpfSR
                RonpfS
                last edited by

                Virtual IP Address

                This address should be in an Isolated Range that is not used in your Network.
                Rejected DNS Requests will be forwarded to this VIP (Virtual IP)
                RFC1918 Compliant - (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
                Changes to the DNSBL VIP will require a Force Reload - DNSBL to take effect.

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                N 1 Reply Last reply Reply Quote 0
                • N
                  nathan.snow @RonpfS
                  last edited by

                  @ronpfs Oh, that is actually not a problem. I changed all the IPs in the config to 10.10.10.x for obfuscation. My LAN/VLANs all use the 10.100.0.0/16 range. So the VIP being on 10.10.10.1 isn't an issue.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.