pfBlockerNG-devel not showing blocked DNS requests



  • Hi everyone and best wishes for 2020!

    I am facing the following problem. For the past few days I saw that an Ikea Tradfri gateway (for light control) was not responding. Resetting the gateway made it work for about an hour orso and then it went offline again. So I was wondering maybe pfBlockerNG is blocking something. I started eye-balling the Reports tab in pfBlockerNG, tried using the filter options but nothing showed up for the ip address the Ikea Tradfri gateway has. Strange thing was that when the gateway went offline I was able to ping it perfectly from my LAN and also from pfSense.

    So when I didn't see any hits on the pfBlocker Alert tab I tried a complete reset of the gateway. That was a pita because I had to add all my lights and automation again. Ok that is part of troubleshooting and you do what needs to be done.

    Still the same problem! After a while (hour orso) the gateway went offline again but it responded perfectly on ping. SO then spun up a Ubuntu server with pihole (with the same DNSBL lists from pfBlockerNG) and pointed the Ikea Gateway to the pihole. Bingo! The pihole showed me immediately what DNS request was being blocked for the Ikea Tradfri gateway. Adding that to the whitelist and everything returned to normal. So now I knew what hostname was being blocked. I went back to pfBlockerNG and using DNS lookup I could see that that DNS request was being sinkholed to pfBlockerNG ip. But still it didn't show up in the Alerts tab!

    How is this behavior possible? Or is it by design for pfBlocker? I can't believe that pihole showed me immediately what DNS request was blocked while in pfBlockerNG I spend hours and I still couldn't figure it out.


  • Moderator

    @vjizzle
    Are you using VLANs? If you put that domain in a browser directly what does it show in the Alerts tab. Would also recommend to use pfBlockerNG-devel.



  • Hi BBcan177!

    Thanks for getting back to me. I am already using pfBlockerNG-devel :). I just did the update to version 2.2.5_28 for MaxMind GeoIP. On pfSense I am using VLAN's for IPTV but not for my LAN. My LAN is the also the only interface selected in the DNSBL configuration. So the dns name I am talking about is: webhook.logentries.com. It is not showing anything when I enter it in a browser. Also this build of pfSense is like a week old and nothing special has been done. Just a basic install and then added pfBlocker-NG package.

    Another dns name I found to show the same behavior is ping.ui.com. It is blocked by pfBlocker-NG but it does not show up in the Alerts tab. I can find the lookup in the DNS Resolver logs but nothing being reported by pfBlocker-NG. I'm sure that I am doing something wrong or looking at the wrong place. I expect pfblocker-NG to be "honest" with me and show me exactly what DNS names are being sinkholed. At the moment it seems like for some reason it is not doing that. All help is appreciated guys!

    -- Edit: added screenshot from pfsense shell

    2020-01-03 16_00_30-Command Prompt.png

    As you can see a ping solves the domain ping.ui.com to the DNSBL vip. But the entry is not logged in the dnsbl.log file on pfsense. Do I need to adjust logfile settings somewhere in pfsense?


  • Moderator

    @vjizzle
    Do you have the "TLD" option enabled (wildcard blocking)?

    If so, then I would guess that the root domain of the two domains you posted are being blocked and those should be visible in your Reports tab.

    If you click on the "+" icon to whitelist those domains, you will see instructions on how to best whitelist.

    Try this command to see what domains are in the DNSBL database:

    grep "logentries.com" /var/unbound/pfb_dnsbl.conf
    


  • @BBcan177
    I have double checked for TLD but it is off. I have never used that option. See attached screenshot for the grep command you asked. I was doing some testing an changed the DNSBL VIP to 172.16.0.1. That didn't solve my problem.

    2020-01-04 11_15_19-.png


Log in to reply