Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issues using DNSBL and IP to block domains

    Scheduled Pinned Locked Moved pfBlockerNG
    26 Posts 4 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Risfold
      last edited by

      I am trying to block DoH and DoT on my network. I use DoT on my DNS resolver, and I want to prevent DoH (and DoT) circumvention by clients. I have blocked port 853 for DoT. For DoH, I have a list of domains in DNSBL that is currently working. (all LAN port 53 traffic is forwarded to DNS resolver too)

      However, this doesn't prevent a hard coded DoH request to, for example, 8.8.8.8:443 (dns.google). So I would like to also block port 443, 8443, 853, to the resolved IP addresses of my DoT domain list.

      I have configured a new IP block feed and added advanced rules to only block the ports to these domains. However when the list of domains is added and the pfblocker is updated. All of these domains are resolved to the pfblocker VIP, presumably because they are already on the DNSBL.

      Is it possible to adjust pfblocker to be able to resolve this list of domains? And not use itself for resolution?

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense
        last edited by

        If I remembered correctly, you'll need to adjust your browser as well.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • R
          Risfold
          last edited by

          Hi thanks for the reply. I'm not sure what you mean. What in the browser would affect this?

          1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense
            last edited by

            This might lead you there: https://forum.netgate.com/topic/146884/suggestion-disable-default-doh-in-firefox

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • R
              Risfold
              last edited by

              Thanks, I know how to disable DoH in firefox. I am concerned about clients that I cannot control or modify. Do you have any suggestions related to my initial question? The issue I have asked about is related to pfsense only. Not any clients.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @Risfold
                last edited by bmeeks

                @Risfold said in Issues using DNSBL and IP to block domains:

                Thanks, I know how to disable DoH in firefox. I am concerned about clients that I cannot control or modify. Do you have any suggestions related to my initial question? The issue I have asked about is related to pfsense only. Not any clients.

                Pretty much the entire point of DoH is to prevent third parties from intercepting, reading or modifying DNS lookups (and in this case, sounds like from the client's point of view your network is a "third party"). So that leads to DoH being somewhere between hard and impossible to block.

                Here is a recent SANS Institute whitepaper on the issues with network monitoring caused by DoT and DoH: https://www.sans.org/reading-room/whitepapers/dns/needle-haystack-detecting-dns-https-usage-39160.

                And here is another little tidbit of information to keep you up at night ... 😉 : https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/.

                So life for network security admins is not going to be getting any easier ...

                1 Reply Last reply Reply Quote 0
                • R
                  Risfold
                  last edited by

                  Hi thank you for the reply. Yeah agreed, it is difficult to block. I am mostly looking to block the lowest common denominator on my home network. Do you have any suggestions on how to have pfblocker block the IP of a domain that is already blocked by DNSBL?

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @Risfold
                    last edited by bmeeks

                    @Risfold said in Issues using DNSBL and IP to block domains:

                    Hi thank you for the reply. Yeah agreed, it is difficult to block. I am mostly looking to block the lowest common denominator on my home network. Do you have any suggestions on how to have pfblocker block the IP of a domain that is already blocked by DNSBL?

                    Well, I'm not a pfBlocker user (I am actually the Snort and Suricata package developer and use Snort on my personal system), but from what I understand you can configure pfBlocker to create aliases which you can then use in firewall rules. So set up pfBlocker to create aliases and then you should be able to have pfBlocker download the DNSBL IP list and stuff the contents into an alias. You would then manually create a rule that used that alias as the source of IPs to block.

                    1 Reply Last reply Reply Quote 0
                    • NollipfSenseN
                      NollipfSense
                      last edited by

                      IP address of domains is constantly changing...

                      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @NollipfSense
                        last edited by bmeeks

                        @NollipfSense said in Issues using DNSBL and IP to block domains:

                        IP address of domains is constantly changing...

                        Yeah, but doesn't pfBlocker periodically update its lists? Nothing will keep up if the IPs change like every few minutes, but if it is days, then perhaps pfBlocker daily list updates can keep up ?? pfBlocker would update the IPs in the alias from the list.

                        Another possibility is using a URL alias table and loading an updated list from a URL periodically. This would require more work on the part of the admin to manually create an update process.

                        NollipfSenseN 1 Reply Last reply Reply Quote 0
                        • NollipfSenseN
                          NollipfSense @bmeeks
                          last edited by

                          @bmeeks said in Issues using DNSBL and IP to block domains:

                          This would require more work on the part of the admin to manually create an update process.

                          That's why I mentioned the changing IP. I am learning more and more that network administration even for small home network is a bit* h.

                          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @NollipfSense
                            last edited by bmeeks

                            @NollipfSense said in Issues using DNSBL and IP to block domains:

                            That's why I mentioned the changing IP. I am learning more and more that network administration even for small home network is a bit* h.

                            I believe the OP is asking about this for his home network. Blocking DoT or DoH in a home network is not really something I would concern myself with. If you have an army of IoT devices, then maybe segregate them on a restricted VLAN by themselves. Some of them are useless without Internet connectivity, though, so you probably need to let them have Internet access even if on a restricted VLAN.

                            You can very quickly get "too complicated" in a home network if you try to solve or plan for every cyber security potential issue. You can find yourself with a highly secure network that is, for all intents and purposes, non-functional in terms of what you built it for. In other words, most of the stuff you want to access no longer works as it should ... ☺.

                            Just take reasonable precautions, keep your software updated with security fixes and live a normal peaceful life with a happy wife! Remember, if your wife can't reliably get to Netflix, Amazon Prime Video and Pinterest over the home network, then your life as a network admin will suck! ... 😁

                            NollipfSenseN 1 Reply Last reply Reply Quote 0
                            • NollipfSenseN
                              NollipfSense @bmeeks
                              last edited by NollipfSense

                              @bmeeks said in Issues using DNSBL and IP to block domains:

                              You can very quickly get "too complicated" in a home network if you try to solve or plan for every cyber security potential issue. You can find yourself with a highly secure network that is, for all intents and purposes, non-functional in terms of what you built it for. In other words, most of the stuff you want to access no longer works as it should ... .
                              Just take reasonable precautions, keep your software updated with security fixes and live a normal peaceful life with a happy wife! Remember, if your wife can't reliably get to Netflix, Amazon Prime Video and Pinterest over the home network, then your life as a network admin will suck! ...

                              Had to laugh aloud, I recently added Shodan and DOH, lots of sites got broken and still working on Skype as that's how household communicates with other distant family members. ☹

                              pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                              pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                              1 Reply Last reply Reply Quote 0
                              • R
                                Risfold
                                last edited by

                                I definitely am the type to over complicate my home network. Mostly for fun 😁. Yes pfblocker can use aliases and that is what it uses when a feed is created. My issue is that I currently have a list of domains that pfblocker will fetch the IPs for. And I want those IPs blocked on specific ports. However when pfblocker returns the IPs it only lists the VIP used for DNSBL because they are listed there as well. Do you have any thoughts on how to have pfblocker retreive these IPs?

                                1 Reply Last reply Reply Quote 0
                                • R
                                  Risfold
                                  last edited by

                                  I have been thinking disabling DNS resolver responding on the local host might work, but I'm not sure if that will work or what else it will effect.

                                  R 1 Reply Last reply Reply Quote 0
                                  • R
                                    Risfold @Risfold
                                    last edited by

                                    @Risfold said in Issues using DNSBL and IP to block domains:

                                    I have been thinking disabling DNS resolver responding on the local host might work, but I'm not sure if that will work or what else it will effect.

                                    Well that didn't work. Got the error below. Plus then my resolver wouldn't use the DoH I have setup.
                                    53e6b9e3-796a-4bf9-96ad-fd645fd2d9cc-image.png

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      Risfold
                                      last edited by

                                      @BBcan177 Do you have any suggestions? I would very much appreciate any help you can offer.

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        You will need the resolver for DNSBL to work. I am not familiar with the internal details of how pfBlockerNG works. The developer and I have exchanged ideas in the past, but I mostly concentrate on the IDS/IPS packages (Snort and Suricata).

                                        R 1 Reply Last reply Reply Quote 0
                                        • R
                                          Risfold @bmeeks
                                          last edited by

                                          @bmeeks said in Issues using DNSBL and IP to block domains:

                                          You will need the resolver for DNSBL to work. I am not familiar with the internal details of how pfBlockerNG works. The developer and I have exchanged ideas in the past, but I mostly concentrate on the IDS/IPS packages (Snort and Suricata).

                                          Thanks for your contributions to pfsense! I actually am upgrading to beefier pfsense hardware soon and I plan on looking into those. I am currently on an APU board and from what I hear that doesn't quite cut it for those.

                                          1 Reply Last reply Reply Quote 0
                                          • BBcan177B
                                            BBcan177 Moderator
                                            last edited by

                                            Some more info here:
                                            https://www.reddit.com/r/pfBlockerNG/comments/d3p1gf/doh_server_blocklist/

                                            "Experience is something you don't get until just after you need it."

                                            Website: http://pfBlockerNG.com
                                            Twitter: @BBcan177  #pfBlockerNG
                                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                            R 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.