Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled

    Scheduled Pinned Locked Moved pfBlockerNG
    10 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gogglespisano
      last edited by

      I have 2.4.4-2 with pfBlockerNG-devel 2.2.5_21.

      Unbound is my LAN DNS resolver and BIND is the WAN DNS (LAN accessible through a specific virtual IP).

      When I enable DNSBL and force an update I lose access to the either DNS from the LAN side. Using the DNS Lookup in pfSense, DNS resolves correctly.

      I don't see any new firewall rules, and I can't find any failures in the log. When I disable DNSBL and force an update, LAN DNS starts working again.

      Where can I find what firewall/config changes DNSBL makes when it's enabled?

      1 Reply Last reply Reply Quote 0
      • G
        gogglespisano
        last edited by

        When I diff the config I see two rules added, however they do not appear on any interface for the firewall rules, the update output says there were no changes to firewall rules??

        There's also a virtual IP added, which I do see.

        server:include: /var/unbound/pfb_dnsbl.*conf is added to Unbound custom options.
        /var/unbound/pfb_dnsbl.conf exists, but is empty.
        There is /var/unbound/pfb_dnsbl_lighty.conf which does reference the DNSBL web server,
        but that file doesn't match the wildcard path.

        UPDATE PROCESS START [ 01/27/19 13:32:00 ]

        ===[ DNSBL Process ]================================================

        Loading DNSBL Statistics... completed
        Loading DNSBL Whitelist... completed

        Saving DNSBL database... completed

        Clearing all DNSBL Feeds
        Configuring DNSBL... completed
        Reloading Unbound Resolver..... completed [ 01/27/19 13:32:02 ]
        DNSBL update [ 0 | PASSED ]... completed
        Adding DNSBL Unbound server:include option

        Saving new DNSBL web server configuration to port [ 7080 and 7443 ]
        Saving DNSBL config changes.VIP address configured. Widget Packet statistics reset.

        Restarting DNSBL Service

        ===[ GeoIP Process ]============================================

        [ pfB_Top_v4 ] exists. [ 01/27/19 13:32:13 ]
        [ pfB_Africa_v4 ] exists.
        [ pfB_Antarctica_v4 ] exists.
        [ pfB_Asia_v4 ] exists. [ 01/27/19 13:32:14 ]
        [ pfB_Europe_v4 ] exists.
        [ pfB_NAmerica_v4 ] exists. [ 01/27/19 13:32:15 ]
        [ pfB_Oceania_v4 ] exists.
        [ pfB_SAmerica_v4 ] exists.

        ===[ IPv4 Process ]=================================================

        [ Spamhaus_DROP_v4 ] exists.
        [ Spamhaus_EDROP_v4 ] exists.
        [ Emerging_Threats_v4 ] exists.

        ===[ Aliastables / Rules ]==========================================

        No changes to Firewall rules, skipping Filter Reload
        No Changes to Aliases, Skipping pfctl Update

        ** Restarting firewall filter daemon **

        UPDATE PROCESS ENDED [ 01/27/19 13:32:22 ]

        Config changes:
        <rule>
        <source>
        <any></any>
        </source>
        <destination>
        <address>10.13.13.13</address>
        <port>80</port>
        </destination>
        <protocol>tcp</protocol>
        <target>127.0.0.1</target>
        <local-port>7080</local-port>
        <interface>lan</interface>
        <descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
        <associated-rule-id>pass</associated-rule-id>
        <natreflection>purenat</natreflection>
        </rule>
        <rule>
        <source>
        <any></any>
        </source>
        <destination>
        <address>10.13.13.13</address>
        <port>443</port>
        </destination>
        <protocol>tcp</protocol>
        <target>127.0.0.1</target>
        <local-port>7443</local-port>
        <interface>lan</interface>
        <descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
        <associated-rule-id>pass</associated-rule-id>
        <natreflection>purenat</natreflection>
        </rule>
        <vip>
        <interface>lan</interface>
        <descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
        <type>single</type>
        <subnet_bits>32</subnet_bits>
        <subnet>10.13.13.13</subnet>
        <mode>ipalias</mode>
        </vip>

        1 Reply Last reply Reply Quote 0
        • RonpfSR
          RonpfS
          last edited by

          @gogglespisano said in DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled:

          When I enable DNSBL and force an update

          Do you have any DNSBL Group defined ?

          1 Reply Last reply Reply Quote 0
          • G
            gogglespisano
            last edited by

            I have tried with both no feeds or categories, and with a few feeds and categories. Either way, external access to DNS times out if DNSBL is enabled. The DNS Lookup tool still works and shows 0 msec response from localhost and LAN address.

            I've tried restarted DNS and pfb services, stopping pfb services, removing the custom options in unbound manually. The only thing that restores DNS is if I disable DNSBL and run force update.

            I added the enable check for the firewall rules, and that did add a ping and dns rule, but didn't help with LAN dns. I also have a LAN rule for all TCP/UDP permitted. No other LAN rules or floating rules that block DNS.

            1 Reply Last reply Reply Quote 0
            • RonpfSR
              RonpfS
              last edited by

              @gogglespisano said in DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled:

              DNS is if I disable DNSBL and run force update.

              With DNSBL enabled what does a Force Update DNSBL log looks like?

              1 Reply Last reply Reply Quote 0
              • G
                gogglespisano
                last edited by

                I found that I can't access other dns servers either. All traffic might be blocked, although pfSense can still resolve DNS and I can access the pfSense GUI. I added Pass (All) rules to floating, wan and lan at the top of the rules. that didn't help.

                I noticed that traffic fails several seconds after the force update completes, and doesn't restore until several seconds after force update compeletes with DNSBL disabled.

                Here is the log.

                UPDATE PROCESS START [ 01/27/19 15:15:56 ]

                ===[ DNSBL Process ]================================================

                Loading DNSBL Statistics... completed
                Loading DNSBL Whitelist... completed

                [ Shallalist_costtraps ] exists.
                [ Shallalist_spyware ] exists.
                [ UT1_ddos ] exists.
                [ UT1_malware ] exists.
                Saving DNSBL database... completed

                Configuring DNSBL... completed
                Reloading Unbound Resolver..... completed [ 01/27/19 15:15:59 ]

                *** DNSBL update [ 0 ] [ 24430 ] ... OUT OF SYNC ! ***
                Adding DNSBL Unbound server:include option
                //------------------------------------------------------------------------
                Saving new DNSBL web server configuration to port [ 7080 and 7443 ]
                Saving DNSBL config changes.VIP address configured. Widget Packet statistics reset.

                Restarting DNSBL Service

                ===[ GeoIP Process ]============================================

                [ pfB_Top_v4 ] exists. [ 01/27/19 15:16:11 ]
                [ pfB_Africa_v4 ] exists.
                [ pfB_Antarctica_v4 ] exists.
                [ pfB_Asia_v4 ] exists.
                [ pfB_Europe_v4 ] exists.
                [ pfB_NAmerica_v4 ] exists. [ 01/27/19 15:16:13 ]
                [ pfB_Oceania_v4 ] exists.
                [ pfB_SAmerica_v4 ] exists.

                ===[ IPv4 Process ]=================================================

                [ Spamhaus_DROP_v4 ] exists.
                [ Spamhaus_EDROP_v4 ] exists.
                [ Emerging_Threats_v4 ] exists.
                ===[ Aliastables / Rules ]================================

                Firewall rule changes found, applying Filter Reload

                ** Restarting firewall filter daemon **

                UPDATE PROCESS ENDED [ 01/27/19 15:16:26 ]

                1 Reply Last reply Reply Quote 0
                • RonpfSR
                  RonpfS
                  last edited by RonpfS

                  @gogglespisano said in DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled:

                  [ Shallalist_costtraps ] exists.
                  [ Shallalist_spyware ] exists.
                  [ UT1_ddos ] exists.
                  [ UT1_malware ] exists.

                  It looks like you don't have any DNSBL Group defined. Can you add one group ? Go to Feeds tab and a the small BBcan177 group. Then do another Force Reload DNSBL

                  1 Reply Last reply Reply Quote 0
                  • G
                    gogglespisano
                    last edited by

                    I think I found what's triggering the problem, but not why.

                    I manually added the virtual IP address to LAN 10.13.13.13 and that killed traffic. Deleting it and reloading the filter restores it. My LAN interface address is 172.16.1.1/16.

                    RonpfSR 1 Reply Last reply Reply Quote 0
                    • RonpfSR
                      RonpfS @gogglespisano
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • G
                        gogglespisano
                        last edited by

                        I found the problem. I had a rule that needed the 10.0.0.0 subnet added. When the DNSBL VIP was added, some traffic to pfSense got blocked.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.