DNSBL (DEV) Stopped working after 2.4.4 upgrade



  • Hello!
    Just did an update to our HA to 2.4.4 (from 2.4.3) running PFblokerNG_dev
    After the update, PFblocker IP list seem to be working, but no DNS filtering is being done.
    Resolver Seems to be working as I can see requested being made to the DNS forwarder external IP’s. (Forwarder is using TLS to the external DNS IP’s if that helps, but had this set prior to the upgrade)
    There are no DNS alerts in the firewall (either) and testing a DNS entry in one of the list will load in the browser.
    PFBlocker was uninstalled and reinstalled on both systems. Services look fine
    Thanks in advance!


  • Moderator

    @vito

    If you run a Force Reload - All, do you get any errors?

    Check the pfSense system/resolver logs for any other clues.

    Also make sure that your Lan devices are pointing their DNS settings to pfSense only.

    It's not a good idea to load these domains in a browser, just in case you load a malicious one. Best to run a ping or host command. If it replies back with the DNSBL VIP, then it's being blocked.

    host - t A example.com


  • @bbcan177

    Thanks for the reply
    A reload is downloading list, no errors besides some list downloads (had them before)
    Devices are pointing to PF. No other device / network changes made other than 2.4.4 update.

    Yeah, testing was on a test machine...noted ;)

    In resolver logs at this time

    Sep 30 14:46:45 unbound 55165:0 notice: failed connection from 127.0.0.1 port 26470
    Sep 30 14:46:45 unbound 55165:0 error: remote control failed ssl crypto error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
    Sep 30 14:46:50 unbound 55165:0 error: remote control connection closed prematurely

    The cert error: for testing i removed any TLS settings and still get this
    Local host error may be new from what i can see

    Thanks!!



  • The dnsbl.log seems to be empty
    (log file empty or does not exist)
    dnsbl parsed _error log is current



  • I was able to get DNS resolver errors above corrected with this post
    https://forum.netgate.com/topic/106011/solved-pfblockerng-reloading-unbound-fails/11

    After the above, resting Resolver settings (just clearing all setting then adding back the same settings) and a reboot it appears to be working again.

    Thanks for the help!