Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL just Work when DNS Resolver Enable

    pfBlockerNG
    6
    11
    991
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Marcus Vinicius
      last edited by

      Hello people,

      I'm setting up a pfsense, but the DNBL package pfBloquerNG only works when I activate DNS Resolver. My problem is that AD (Active Directory is a DNS Server by default when we enable AD). How do I run the DNSBL pfBloquerNG without activating the DNS Resolver in pfsense?

      dns_resolver_active1.jpg

      2
      dnsbl_active1.jpg

      3
      no_dns_resolver.jpg

      4
      dnsbl_unactive.jpg

      Note: The AD is a DHCP Server and DHCP Relay is enable on pfsense.

      RonpfSR 1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS @Marcus Vinicius
        last edited by

        @Marcus-Vinicius said in DNSBL just Work when DNS Resolver Enable:

        How do I run the DNSBL pfBloquerNG without activating the DNS Resolver in pfsense?

        You can't, pfblockerNG require the DNS Resolver.

        You don't have enough memory to run DNSBL with 1.25M entries. I have 8GB mem with 1.2M entries and I ran into problems like unbound hanging on restart.

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          @RonpfS said in DNSBL just Work when DNS Resolver Enable:

          How do I run the DNSBL pfBloquerNG without activating the DNS Resolver in pfsense?

          Easy. Don't use DNSBL. pfBlockerNG are two tools in one. One side is blocking requests on IP level (the upper green hook you see), the other side is DNS blacklisting. If you don't want that because AD does your DNS so disable DNSBL and be done. That has nothing to do with pfBNG needing it. It doesn't. You can use one, both, none. But don't consider DNS requests blackholed or blocked if your AD does your DNS. You only use IP blacklisting then.

          Besides: I don't get your point. MS AD needs forwarders or resolving, too, so instead of panicking, how about setting your DNS up letting pfSense serve DNS requests and make a domain override for your AD DNS domain in "DNS Resolver" configuration and point that to your domain? Any reason you'd need the AD DNS for anything at all?

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 1
          • M
            Marcus Vinicius
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • M
              Marcus Vinicius
              last edited by

              Marcus Vinicius 5 minutes ago

              Thank you. I set up "DNS Forwarder" on pfsense but i don't know we can use MS AD with DNS Resolver Enable? Cause by default AD is a DNS Server. In AD point my pfsense server as a DNS Server.

              1 Reply Last reply Reply Quote 0
              • D
                dma_pf
                last edited by dma_pf

                We have a similar set up and this is how we got it working.

                1. Have the DHCP server issue the IP address of the AD DNS Server as the DNS server to all of the domain machines.

                2. On the AD DNS Server create a forward to the the pfsense box so that non authoritave dns requests on the AD DNS Server are routed to pfsense (the default is that they use root hints for those requests). In Server 2012 this would be done in the DNS Manager by right clicking the the named DNS server, selecting properties, then going to the Forwarders tab. Select All interfaces, and enter the pfsene box's ip address.

                3. In the pfsense box enable resolver.

                4. Configure pfblockerNG as normal.

                In this way, the domain machines will first look to the AD DNS to resolve all DNS requests. If the name is resolved there then the request is answered, so any domain names hosted locally on the AD network will be resolved. If the name is not found on the AD DNS then the DNS request is forwarded to pfsense for resolution.

                bmeeksB 1 Reply Last reply Reply Quote 1
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  ^ Yup that is how you would do it..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @dma_pf
                    last edited by bmeeks

                    @dma_pf said in DNSBL just Work when DNS Resolver Enable:

                    We have a similar set up and this is how we got it working.

                    1. Have the DHCP server issue the IP address of the AD DNS Server as the DNS server to all of the domain machines.

                    2. On the AD DNS Server create a forward to the the pfsense box so that non authoritave dns requests on the AD DNS Server are routed to pfsense (the default is that they use root hints for those requests). In Server 2012 this would be done in the DNS Manager by right clicking the the named DNS server, selecting properties, then going to the Forwarders tab. Select All interfaces, and enter the pfsene box's ip address.

                    3. In the pfsense box enable resolver.

                    4. Configure pfblockerNG as normal.

                    In this way, the domain machines will first look to the AD DNS to resolve all DNS requests. If the name is resolved there then the request is answered, so any domain names hosted locally on the AD network will be resolved. If the name is not found on the AD DNS then the DNS request is forwarded to pfsense for resolution.

                    One last item I would suggest is to put your AD domain in as a Domain Override in the DNS Resolver on pfSense and point back to your AD DNS for that entry. That will allow pfSense to resolve your internal host IPs on the LAN to their actual host names when logging stuff or displaying the ARP table, etc.

                    1 Reply Last reply Reply Quote 1
                    • JeGrJ
                      JeGr LAYER 8 Moderator
                      last edited by

                      @johnpoz said in DNSBL just Work when DNS Resolver Enable:

                      ^ Yup that is how you would do it..

                      I'm curious as to why. Why use MS AD DNS for everything instead of only the things absolutely needed (e.g. internal domain)? So why not use clean DNS Resolver setup on pfSense and Domain overwrite for ADs <lan.domain.tld> to the internal resolver?

                      Just wondering where one is preferable to the other, as with the resolver method, I've got a modern DoT-capable and DNSSEC enabled resolver working instead of that MS DNS monster with that caching of hell ;)

                      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        If you want to just use domain overrides for your AD, sure you could do that - but you understand that there is more domains than just domain.tld right in an AD..

                        Going to be a bunch of subs _msdcs. _tcp, _udp - etc. So its a bit more involved than just asking the AD NS for server.domain.tld

                        To be honest if your a MS house using AD - just use that for dhcp, and dns.. Its just way easier - and your sure clients will be able to register themselves in the dns, etc. etc..

                        Don't forget all your ptrs you would also need to setup as overrides..

                        Just doesn't make a lot of sense for ease of configuration and possible troubleshooting to point your clients to pfsense for dns and or use it for dhcp when your a MS shop and you have any server to be able to provide these functions and along with failover and redundancy... Just because pfsense can provide some dns and dhcp doesn't mean you should do that.

                        If your network has grown beyond 1 single segment... your AD dhcp also can provide all the different segments dhcp in central location, etc. With MS dhcp can register clients in dns for you, etc..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 23.05 | Lab VMs CE 2.6, 2.7

                        JeGrJ 1 Reply Last reply Reply Quote 0
                        • JeGrJ
                          JeGr LAYER 8 Moderator @johnpoz
                          last edited by

                          @johnpoz said in DNSBL just Work when DNS Resolver Enable:

                          To be honest if your a MS house using AD - just use that for dhcp, and dns.. Its just way easier - and your sure clients will be able to register themselves in the dns, etc. etc..

                          That I agree totally.

                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post