Odd IP's address in PI-hole with PFblocker (DoD for one :scream:)



  • I've noticed some weird IP's in my pi-hole log from PFsense DoD being one of them https://www.whois.com/whois/21.10.87.218 any ideas of what's going on ?

    I have Pfsense main general DNS pointing to pi-hole and the LAN DHCP DNS point to pfsense's IP.

    Pfsense is on a DMZ of my router so gets DHCP assigned IP from it (192.168.1.113)

    It only seems to do this with PFsense/PFblocker in the middle. When I connect directly via WIFI to the router I don't see any weird IP's logged in pi-hole

    192-168-1-40-admin-queries-php-2019-08-23-15_54_10.png



  • You're reading the IP address wrong from those records. The IP address is listed in reverse. For example, that top entry is 116.9.245.200 which is Chinanet.


  • LAYER 8 Global Moderator

    ^ exactly those are all PTRs, and you say pfsense gets .113 (on its wan) and you have what behind it?

    PTRs are normally done when looking to see what the name on an IP address is, ie the reverse..

    for example

    $ dig -x 8.8.8.8                                                        
                                                                            
    ; <<>> DiG 9.14.4 <<>> -x 8.8.8.8                                       
    ;; global options: +cmd                                                 
    ;; Got answer:                                                          
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45891               
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1    
                                                                            
    ;; OPT PSEUDOSECTION:                                                   
    ; EDNS: version: 0, flags:; udp: 4096                                   
    ;; QUESTION SECTION:                                                    
    ;8.8.8.8.in-addr.arpa.          IN      PTR                             
                                                                            
    ;; ANSWER SECTION:                                                      
    8.8.8.8.in-addr.arpa.   86134   IN      PTR     dns.google.             
                                                                            
    ;; Query time: 10 msec                                                  
    ;; SERVER: 192.168.3.10#53(192.168.3.10)                                
    ;; WHEN: Fri Aug 23 10:37:34 Central Daylight Time 2019                 
    ;; MSG SIZE  rcvd: 73                                                   
                                                                            
    

    Firewalls could do this if setup to resolve the IPs it logs to names, etc.



  • Ok so it's logging inbound scans ?
    It's a really setup My router Pi-hole is plugged into it and pfsense gets .113 from it. My laptop plugs into the LAN of pfsense with WIFI turned off on the laptop

    What I was trying to achieve was see what pfblocker 'misses' and Pi-hole blocks if that makes sense.


  • LAYER 8 Global Moderator

    It would/could be trying to resolve an IP that hits your wan IP sure.. would depending your setting, depend on what packages you might have installed.. My pfsense doesn't resolve the IPs that hits is wan, unless I go to the log and click the little try to resolve icon.



  • I could send you my config if you wish ?
    Packages installed , snort, avahi, freeradius3 and LCDproc aren't configured
    pfsense-pkg-mgr-installed-php-2019-08-23-16_44_55.png


  • LAYER 8 Global Moderator

    Yeah pretty sure out of the box ntop will try and resolve all the traffic it sees. Snort might/could do the same sort of thing.



  • Ah ok, never thought of that - I'll turn if off !
    First of all I went down the road 'I've got a VIRUS' and start scanning my laptop with every scanner going.😟



  • Yep, that appeared to stop it - Thanks John !
    It seemed odd with batches of IP's more or less at the same time.


  • LAYER 8 Global Moderator

    There is a lot of noise on the net ;) You are seeing these blocked at the wan of pfsense right, your clients not going there?



  • @johnpoz said in Odd IP's address in PI-hole with PFblocker (DoD for one 😱):

    Yeah pretty sure out of the box ntop will try and resolve all the traffic it sees. Snort might/could do the same sort of thing.

    Snort and Suricata behave the same as the pfSense firewall log view. They do not resolve a log entry unless the user clicks the little magnifying glass icon beside an IP on the ALERTS tab. So like the pfSense firewall log, manual user action is required for either of the IDS/IPS packages to perform a DNS lookup.

    Update: I need to clarify one point. The scheduled rules update check cron tasks connect to the rule vendors via URLs, so those tasks will, as part of the CURL connection process, perform DNS lookups to convert the URL into an IP address.



  • @johnpoz your clients not going there?

    not as far as I know 🤞


  • LAYER 8 Global Moderator

    @bmeeks
    Thanks for the clarification, I was not "sure" that is why made sure to say might/could ;)



  • @johnpoz said in Odd IP's address in PI-hole with PFblocker (DoD for one 😱):

    @bmeeks
    Thanks for the clarification, I was not "sure" that is why made sure to say might/could ;)

    No problemo. Just verifying how the package behaves so folks know.



  • I'm 99% curtain it's ntopng as the IP's have stopped showing in pi-hole when ntopng is turned off.



  • @randombits said in Odd IP's address in PI-hole with PFblocker (DoD for one 😱):

    I'm 99% curtain it's ntopng as the IP's have stopped showing in pi-hole when ntopng is turned off.

    Packages like that try and do you a favor and turn the IP addresses they see into human-friendly domain names by doing reverse PTR lookups when writing the information to their logs. The DNS lookups are harmless unless you have a specific reason to want them turned off.


  • LAYER 8 Global Moderator

    Most of the noise you would be seeing from the internet is not going to resolve anyway - so its pretty pointless to look for it.. None of the shit he posted resolves.. So what is the point of trying to, if 90% of its not even going to... Its wasted cycles and queries.



  • I've never used ntopng, but if the DNS lookup thingy is not a configurable option, perhaps that is a feature the maintainer/developer might want to consider adding.


  • LAYER 8 Global Moderator

    pretty sure you can just turn off the resolving part.. I don't currently have it running - let me look

    edit: yeah you can config it
    dnsconfig.png

    If it was default on his settings it should not have tried to resolve the public IPs, and only his local ones.



  • Spoke too soon, I removed ntopng, snort, darkstat and avahi and I'm still getting the IP's in pi-hole. My thoughts are not to use pi-hole or what I'm doing is wrong in some way. Also nothing connected on the LAN side at all - laptop off.

    I think the obvious answer is Pfblocker or some weird interaction with pi-hole. Why I think this, I turn on another laptop WIFI'd to the router (so it's on the WAN side of pfsense and pi-hole starts seeing these IP's.

    I'll take pi-hole out of the loop and put 9.9.9.9 into pfsense in the system/general DNS


Log in to reply