pfBlockerNG-devel not showing blocked DNS requests

vjizzle · Jan 3, 2020, 3:04 PM

Hi BBcan177!

Thanks for getting back to me. I am already using pfBlockerNG-devel :). I just did the update to version 2.2.5_28 for MaxMind GeoIP. On pfSense I am using VLAN's for IPTV but not for my LAN. My LAN is the also the only interface selected in the DNSBL configuration. So the dns name I am talking about is: webhook.logentries.com. It is not showing anything when I enter it in a browser. Also this build of pfSense is like a week old and nothing special has been done. Just a basic install and then added pfBlocker-NG package.

Another dns name I found to show the same behavior is ping.ui.com. It is blocked by pfBlocker-NG but it does not show up in the Alerts tab. I can find the lookup in the DNS Resolver logs but nothing being reported by pfBlocker-NG. I'm sure that I am doing something wrong or looking at the wrong place. I expect pfblocker-NG to be "honest" with me and show me exactly what DNS names are being sinkholed. At the moment it seems like for some reason it is not doing that. All help is appreciated guys!

-- Edit: added screenshot from pfsense shell

login-to-view

As you can see a ping solves the domain ping.ui.com to the DNSBL vip. But the entry is not logged in the dnsbl.log file on pfsense. Do I need to adjust logfile settings somewhere in pfsense?

BBcan177 · Jan 4, 2020, 2:32 AM

@vjizzle
Do you have the "TLD" option enabled (wildcard blocking)?

If so, then I would guess that the root domain of the two domains you posted are being blocked and those should be visible in your Reports tab.

If you click on the "+" icon to whitelist those domains, you will see instructions on how to best whitelist.

Try this command to see what domains are in the DNSBL database:

grep "logentries.com" /var/unbound/pfb_dnsbl.conf

vjizzle · Jan 4, 2020, 10:18 AM

@BBcan177
I have double checked for TLD but it is off. I have never used that option. See attached screenshot for the grep command you asked. I was doing some testing an changed the DNSBL VIP to 172.16.0.1. That didn't solve my problem.

login-to-view

vjizzle · Feb 24, 2020, 2:53 PM

Hi guys!

I have done some more testing and it seems like pfBlockerNG is only showing the HTTP and HTTPS blocked entries. When you do a ICMP (or other type besides http and https) lookup to a host which is blocked by pfBlockerNG it doesn't show up in the Alerts Tab. Any thoughts on this? I am struggling for some time now and I would really like to have pfBlockerNG running with pfsense and go for the all-in-one solution.

BBcan177 · Feb 24, 2020, 4:56 PM

There is no facility to log oher types of DNSBL blocked events at the moment. It will be possible with pfSense 2.4.5 and once the pfBlockerNG Unbound python integration is integrated.

vjizzle · Feb 24, 2020, 9:00 PM

Ok clear BBcan177. Do you have a timeline for when that version and the unbound option is going to be released?
If you need help in testing, I’m here.

vjizzle · Feb 25, 2020, 8:13 AM

@vjizzle said in pfBlockerNG-devel not showing blocked DNS requests:

Ok clear BBcan177. Do you have a timeline for when that version and the unbound option is going to be released?
If you need help in testing, I’m here.

Nevermind, I can see that there is no release date yet. Thanks BBcan. This topic can be closed I suppose.

vjizzle · Mar 30, 2020, 7:37 AM

@BBcan177 : the new version of pfSense is here with the python integration. Any word on the next pfBlockerNG release which will use that to show all allowed and blocked DNS requests? I'd be happy to help with testing.

SriG · Feb 5, 2021, 9:05 AM

@vjizzle I am facing the same issue, Is it possible to share the domains you have whitelisted to make Ikea gateway work? Thanks!

vjizzle · Feb 5, 2021, 10:03 AM

@srig Hi! The only domain I whitelisted for the Ikea gateway to work was webhook.logentries.com.
But now I got rid of the Ikea gateway. I hate it when a device will not work when you block all the telemetry and "phone-home" domains.