DNSBL just Work when DNS Resolver Enable

Marcus Vinicius

Hello people,

I'm setting up a pfsense, but the DNBL package pfBloquerNG only works when I activate DNS Resolver. My problem is that AD (Active Directory is a DNS Server by default when we enable AD). How do I run the DNSBL pfBloquerNG without activating the DNS Resolver in pfsense?

2

3

4

Note: The AD is a DHCP Server and DHCP Relay is enable on pfsense.

RonpfS

@Marcus-Vinicius said in DNSBL just Work when DNS Resolver Enable:

How do I run the DNSBL pfBloquerNG without activating the DNS Resolver in pfsense?

You can't, pfblockerNG require the DNS Resolver.

You don't have enough memory to run DNSBL with 1.25M entries. I have 8GB mem with 1.2M entries and I ran into problems like unbound hanging on restart.

JeGr

@RonpfS said in DNSBL just Work when DNS Resolver Enable:

How do I run the DNSBL pfBloquerNG without activating the DNS Resolver in pfsense?

Easy. Don't use DNSBL. pfBlockerNG are two tools in one. One side is blocking requests on IP level (the upper green hook you see), the other side is DNS blacklisting. If you don't want that because AD does your DNS so disable DNSBL and be done. That has nothing to do with pfBNG needing it. It doesn't. You can use one, both, none. But don't consider DNS requests blackholed or blocked if your AD does your DNS. You only use IP blacklisting then.

Besides: I don't get your point. MS AD needs forwarders or resolving, too, so instead of panicking, how about setting your DNS up letting pfSense serve DNS requests and make a domain override for your AD DNS domain in "DNS Resolver" configuration and point that to your domain? Any reason you'd need the AD DNS for anything at all?

Marcus Vinicius

This post is deleted!

Marcus Vinicius

Marcus Vinicius 5 minutes ago

Thank you. I set up "DNS Forwarder" on pfsense but i don't know we can use MS AD with DNS Resolver Enable? Cause by default AD is a DNS Server. In AD point my pfsense server as a DNS Server.

dma_pf

We have a similar set up and this is how we got it working.

1. Have the DHCP server issue the IP address of the AD DNS Server as the DNS server to all of the domain machines.

2. On the AD DNS Server create a forward to the the pfsense box so that non authoritave dns requests on the AD DNS Server are routed to pfsense (the default is that they use root hints for those requests). In Server 2012 this would be done in the DNS Manager by right clicking the the named DNS server, selecting properties, then going to the Forwarders tab. Select All interfaces, and enter the pfsene box's ip address.

3. In the pfsense box enable resolver.

4. Configure pfblockerNG as normal.

In this way, the domain machines will first look to the AD DNS to resolve all DNS requests. If the name is resolved there then the request is answered, so any domain names hosted locally on the AD network will be resolved. If the name is not found on the AD DNS then the DNS request is forwarded to pfsense for resolution.

johnpoz

^ Yup that is how you would do it..

bmeeks

@dma_pf said in DNSBL just Work when DNS Resolver Enable:

We have a similar set up and this is how we got it working.

1. Have the DHCP server issue the IP address of the AD DNS Server as the DNS server to all of the domain machines.

2. On the AD DNS Server create a forward to the the pfsense box so that non authoritave dns requests on the AD DNS Server are routed to pfsense (the default is that they use root hints for those requests). In Server 2012 this would be done in the DNS Manager by right clicking the the named DNS server, selecting properties, then going to the Forwarders tab. Select All interfaces, and enter the pfsene box's ip address.

3. In the pfsense box enable resolver.

4. Configure pfblockerNG as normal.

In this way, the domain machines will first look to the AD DNS to resolve all DNS requests. If the name is resolved there then the request is answered, so any domain names hosted locally on the AD network will be resolved. If the name is not found on the AD DNS then the DNS request is forwarded to pfsense for resolution.

One last item I would suggest is to put your AD domain in as a Domain Override in the DNS Resolver on pfSense and point back to your AD DNS for that entry. That will allow pfSense to resolve your internal host IPs on the LAN to their actual host names when logging stuff or displaying the ARP table, etc.

JeGr

@johnpoz said in DNSBL just Work when DNS Resolver Enable:

^ Yup that is how you would do it..

I'm curious as to why. Why use MS AD DNS for everything instead of only the things absolutely needed (e.g. internal domain)? So why not use clean DNS Resolver setup on pfSense and Domain overwrite for ADs <lan.domain.tld> to the internal resolver?

Just wondering where one is preferable to the other, as with the resolver method, I've got a modern DoT-capable and DNSSEC enabled resolver working instead of that MS DNS monster with that caching of hell ;)

johnpoz

If you want to just use domain overrides for your AD, sure you could do that - but you understand that there is more domains than just domain.tld right in an AD..

Going to be a bunch of subs _msdcs. _tcp, _udp - etc. So its a bit more involved than just asking the AD NS for server.domain.tld

To be honest if your a MS house using AD - just use that for dhcp, and dns.. Its just way easier - and your sure clients will be able to register themselves in the dns, etc. etc..

Don't forget all your ptrs you would also need to setup as overrides..

Just doesn't make a lot of sense for ease of configuration and possible troubleshooting to point your clients to pfsense for dns and or use it for dhcp when your a MS shop and you have any server to be able to provide these functions and along with failover and redundancy... Just because pfsense can provide some dns and dhcp doesn't mean you should do that.

If your network has grown beyond 1 single segment... your AD dhcp also can provide all the different segments dhcp in central location, etc. With MS dhcp can register clients in dns for you, etc..

JeGr

@johnpoz said in DNSBL just Work when DNS Resolver Enable:

To be honest if your a MS house using AD - just use that for dhcp, and dns.. Its just way easier - and your sure clients will be able to register themselves in the dns, etc. etc..

That I agree totally.