pfblocker and AD DNS



  • Hello! I have pfSense with installed pfblocker on ip 10.104.160.1 and AD on ip 10.104.160.3. Using this site https://vorkbaard.nl/protect-your-network-with-domain-filtering-on-pfsense-2-4-and-pfblockerng/ I was able to configure proxy pfBlocker.
    Everything works, if i use as DNS server on my test PC pfsense(10.104.160.1). If i use DNS my Windows server AD, nothing works. Tell me how to fix it.



  • Please understand for pfBlockerNG to work all DNS request must be handled by your pfSense box as you have discovered...using another DNS server such as your Windows server will bypass pfBlockerNG as you have again discovered and defeats the purpose of installing it.


  • LAYER 8 Global Moderator

    All your clients should point to your AD dns, and that really should be your dhcp server as well.

    Then have your AD dns forward to pfsense, so unbound can resolve or forward..



  • Used this as a base article
    https://www.tecmint.com/install-configure-pfblockerng-dns-black-listing-in-pfsense/
    It turned out to be done like this:

     in the dhcp settings, the client receives the IP of the domain controller as the main and only dns server. In the settings pfsense tuned dns resolver, quote:
    When the page reloads, the DNS resolver general settings will be configurable. This first option that needs to be configured is the checkbox for ‘Enable DNS Resolver’.
    

    The next settings are to set the DNS listening port (normally port 53), setting the network interfaces that the DNS resolver should listen on (in this configuration, it should be the LAN port and Localhost), and then setting the egress port (should be WAN in this configuration).
    2. In the system-general setup tab, set dns server my domain controller
    3. on the domain controller in dns manager allocated my server and selected the forwarders item. I tried to add my pfsense server there, it was added by ip, but on server fqdn it throws an error unable to resolve. I think this is a problem.
    4. I went into revers lookup zones, added my local network 10.104.160. There is at least the status of running.
    In general, it began to work somehow, but I'm not sure about the settings. Tell me, if otherwise, where necessary.


  • LAYER 8 Global Moderator

    @Vladimir88 said in pfblocker and AD DNS:

    fqdn it throws an error unable to resolve. I think this is a problem.

    Not really - but you could fix by creating a record in your AD dns for say pfsense.yourdomain.tld ipaddresspfsense



  • I've got two Server 2016 VMs running a domain, both with DNS and DHCP on both. No DHCP on PFSense, only DNS Resolver configured. The IPs listed in PFSense in SYSTEM/GENERAL are all my chosen Internet resolvers (not my internal DNS, they are DNS over TLS Internet resolvers). All my clients have as their DNS, my two DNS servers only, and they get this from the DCs DHCP server and scope options. The DCs list each other as their DNS, and have the PFSense box as their forwarder (not conditional, just regular forwarder). If they can't resolve the request, they use the forwarder so port 53 TCP and UDP are allowed via a lan rule applied to an alias for both my DCs, to the lan interface on PFSENSE. All clients port 53 are blocked in PFSense on a rule below that allow rule, just to make sure they don't get directly out for any reason (say if they get infected with something and their DNS is hack-configured to something malicious). Once PFSense gets the request from my DCs, it then uses the configured DNS servers on the general tab, with the DNS over TLS settings set on the DNS Resolver section.


  • LAYER 8 Moderator

    @riften said in pfblocker and AD DNS:

    I've got two Server 2016 VMs running a domain, both with DNS and DHCP on both. No DHCP on PFSense, only DNS Resolver configured. The IPs listed in PFSense in SYSTEM/GENERAL are all my chosen Internet resolvers (not my internal DNS, they are DNS over TLS Internet resolvers). All my clients have as their DNS, my two DNS servers only, and they get this from the DCs DHCP server and scope options. The DCs list each other as their DNS, and have the PFSense box as their forwarder (not conditional, just regular forwarder). If they can't resolve the request, they use the forwarder so port 53 TCP and UDP are allowed via a lan rule applied to an alias for both my DCs, to the lan interface on PFSENSE. All clients port 53 are blocked in PFSense on a rule below that allow rule, just to make sure they don't get directly out for any reason (say if they get infected with something and their DNS is hack-configured to something malicious). Once PFSense gets the request from my DCs, it then uses the configured DNS servers on the general tab, with the DNS over TLS settings set on the DNS Resolver section.

    And what does that have to do with the original question/problem? That's your workflow, OK. But that has potential problems / oversights as well. But besides, I don't get what you wanted to say/add to the topic with telling your setup.

    As an additional thought: only blocking udp/tcp53 isn't enough anymore. There are DoT resolvers for client OS' as well that could be used and with Windows (or applications) adding DoH support, that "Pandora's Box" will soon bring fun to all admins debugging DNS failings as well ;)


Log in to reply