DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled

gogglespisano

I have 2.4.4-2 with pfBlockerNG-devel 2.2.5_21.

Unbound is my LAN DNS resolver and BIND is the WAN DNS (LAN accessible through a specific virtual IP).

When I enable DNSBL and force an update I lose access to the either DNS from the LAN side. Using the DNS Lookup in pfSense, DNS resolves correctly.

I don't see any new firewall rules, and I can't find any failures in the log. When I disable DNSBL and force an update, LAN DNS starts working again.

Where can I find what firewall/config changes DNSBL makes when it's enabled?

gogglespisano

When I diff the config I see two rules added, however they do not appear on any interface for the firewall rules, the update output says there were no changes to firewall rules??

There's also a virtual IP added, which I do see.

server:include: /var/unbound/pfb_dnsbl.*conf is added to Unbound custom options.
/var/unbound/pfb_dnsbl.conf exists, but is empty.
There is /var/unbound/pfb_dnsbl_lighty.conf which does reference the DNSBL web server,
but that file doesn't match the wildcard path.

UPDATE PROCESS START [ 01/27/19 13:32:00 ]

===[ DNSBL Process ]================================================

Loading DNSBL Statistics... completed
Loading DNSBL Whitelist... completed

Saving DNSBL database... completed

Clearing all DNSBL Feeds
Configuring DNSBL... completed
Reloading Unbound Resolver..... completed [ 01/27/19 13:32:02 ]
DNSBL update [ 0 | PASSED ]... completed
Adding DNSBL Unbound server:include option

Saving new DNSBL web server configuration to port [ 7080 and 7443 ]
Saving DNSBL config changes.VIP address configured. Widget Packet statistics reset.

Restarting DNSBL Service

===[ GeoIP Process ]============================================

[ pfB_Top_v4 ] exists. [ 01/27/19 13:32:13 ]
[ pfB_Africa_v4 ] exists.
[ pfB_Antarctica_v4 ] exists.
[ pfB_Asia_v4 ] exists. [ 01/27/19 13:32:14 ]
[ pfB_Europe_v4 ] exists.
[ pfB_NAmerica_v4 ] exists. [ 01/27/19 13:32:15 ]
[ pfB_Oceania_v4 ] exists.
[ pfB_SAmerica_v4 ] exists.

===[ IPv4 Process ]=================================================

[ Spamhaus_DROP_v4 ] exists.
[ Spamhaus_EDROP_v4 ] exists.
[ Emerging_Threats_v4 ] exists.

===[ Aliastables / Rules ]==========================================

No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

** Restarting firewall filter daemon **

UPDATE PROCESS ENDED [ 01/27/19 13:32:22 ]

Config changes:
<rule>
<source>
<any></any>
</source>
<destination>
<address>10.13.13.13</address>
<port>80</port>
</destination>
<protocol>tcp</protocol>
<target>127.0.0.1</target>
<local-port>7080</local-port>
<interface>lan</interface>
<descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
<associated-rule-id>pass</associated-rule-id>
<natreflection>purenat</natreflection>
</rule>
<rule>
<source>
<any></any>
</source>
<destination>
<address>10.13.13.13</address>
<port>443</port>
</destination>
<protocol>tcp</protocol>
<target>127.0.0.1</target>
<local-port>7443</local-port>
<interface>lan</interface>
<descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
<associated-rule-id>pass</associated-rule-id>
<natreflection>purenat</natreflection>
</rule>
<vip>
<interface>lan</interface>
<descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>10.13.13.13</subnet>
<mode>ipalias</mode>
</vip>

RonpfS

@gogglespisano said in DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled:

When I enable DNSBL and force an update

Do you have any DNSBL Group defined ?

gogglespisano

I have tried with both no feeds or categories, and with a few feeds and categories. Either way, external access to DNS times out if DNSBL is enabled. The DNS Lookup tool still works and shows 0 msec response from localhost and LAN address.

I've tried restarted DNS and pfb services, stopping pfb services, removing the custom options in unbound manually. The only thing that restores DNS is if I disable DNSBL and run force update.

I added the enable check for the firewall rules, and that did add a ping and dns rule, but didn't help with LAN dns. I also have a LAN rule for all TCP/UDP permitted. No other LAN rules or floating rules that block DNS.

RonpfS

@gogglespisano said in DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled:

DNS is if I disable DNSBL and run force update.

With DNSBL enabled what does a Force Update DNSBL log looks like?

gogglespisano

I found that I can't access other dns servers either. All traffic might be blocked, although pfSense can still resolve DNS and I can access the pfSense GUI. I added Pass (All) rules to floating, wan and lan at the top of the rules. that didn't help.

I noticed that traffic fails several seconds after the force update completes, and doesn't restore until several seconds after force update compeletes with DNSBL disabled.

Here is the log.

UPDATE PROCESS START [ 01/27/19 15:15:56 ]

===[ DNSBL Process ]================================================

Loading DNSBL Statistics... completed
Loading DNSBL Whitelist... completed

[ Shallalist_costtraps ] exists.
[ Shallalist_spyware ] exists.
[ UT1_ddos ] exists.
[ UT1_malware ] exists.
Saving DNSBL database... completed

Configuring DNSBL... completed
Reloading Unbound Resolver..... completed [ 01/27/19 15:15:59 ]

*** DNSBL update [ 0 ] [ 24430 ] ... OUT OF SYNC ! ***
Adding DNSBL Unbound server:include option
//------------------------------------------------------------------------
Saving new DNSBL web server configuration to port [ 7080 and 7443 ]
Saving DNSBL config changes.VIP address configured. Widget Packet statistics reset.

Restarting DNSBL Service

===[ GeoIP Process ]============================================

[ pfB_Top_v4 ] exists. [ 01/27/19 15:16:11 ]
[ pfB_Africa_v4 ] exists.
[ pfB_Antarctica_v4 ] exists.
[ pfB_Asia_v4 ] exists.
[ pfB_Europe_v4 ] exists.
[ pfB_NAmerica_v4 ] exists. [ 01/27/19 15:16:13 ]
[ pfB_Oceania_v4 ] exists.
[ pfB_SAmerica_v4 ] exists.

===[ IPv4 Process ]=================================================

[ Spamhaus_DROP_v4 ] exists.
[ Spamhaus_EDROP_v4 ] exists.
[ Emerging_Threats_v4 ] exists.
===[ Aliastables / Rules ]================================

Firewall rule changes found, applying Filter Reload

** Restarting firewall filter daemon **

UPDATE PROCESS ENDED [ 01/27/19 15:16:26 ]

RonpfS

@gogglespisano said in DNS fails when DNSBL (pfBlockerNG-devel 2.2.5_21) is enabled:

[ Shallalist_costtraps ] exists.
[ Shallalist_spyware ] exists.
[ UT1_ddos ] exists.
[ UT1_malware ] exists.

It looks like you don't have any DNSBL Group defined. Can you add one group ? Go to Feeds tab and a the small BBcan177 group. Then do another Force Reload DNSBL

gogglespisano

I think I found what's triggering the problem, but not why.

I manually added the virtual IP address to LAN 10.13.13.13 and that killed traffic. Deleting it and reloading the filter restores it. My LAN interface address is 172.16.1.1/16.

RonpfS

This post is deleted!

gogglespisano

I found the problem. I had a rule that needed the 10.0.0.0 subnet added. When the DNSBL VIP was added, some traffic to pfSense got blocked.