pfBlockerNG-devel not showing blocked DNS requests



  • Hi everyone and best wishes for 2020!

    I am facing the following problem. For the past few days I saw that an Ikea Tradfri gateway (for light control) was not responding. Resetting the gateway made it work for about an hour orso and then it went offline again. So I was wondering maybe pfBlockerNG is blocking something. I started eye-balling the Reports tab in pfBlockerNG, tried using the filter options but nothing showed up for the ip address the Ikea Tradfri gateway has. Strange thing was that when the gateway went offline I was able to ping it perfectly from my LAN and also from pfSense.

    So when I didn't see any hits on the pfBlocker Alert tab I tried a complete reset of the gateway. That was a pita because I had to add all my lights and automation again. Ok that is part of troubleshooting and you do what needs to be done.

    Still the same problem! After a while (hour orso) the gateway went offline again but it responded perfectly on ping. SO then spun up a Ubuntu server with pihole (with the same DNSBL lists from pfBlockerNG) and pointed the Ikea Gateway to the pihole. Bingo! The pihole showed me immediately what DNS request was being blocked for the Ikea Tradfri gateway. Adding that to the whitelist and everything returned to normal. So now I knew what hostname was being blocked. I went back to pfBlockerNG and using DNS lookup I could see that that DNS request was being sinkholed to pfBlockerNG ip. But still it didn't show up in the Alerts tab!

    How is this behavior possible? Or is it by design for pfBlocker? I can't believe that pihole showed me immediately what DNS request was blocked while in pfBlockerNG I spend hours and I still couldn't figure it out.


  • Moderator

    @vjizzle
    Are you using VLANs? If you put that domain in a browser directly what does it show in the Alerts tab. Would also recommend to use pfBlockerNG-devel.



  • Hi BBcan177!

    Thanks for getting back to me. I am already using pfBlockerNG-devel :). I just did the update to version 2.2.5_28 for MaxMind GeoIP. On pfSense I am using VLAN's for IPTV but not for my LAN. My LAN is the also the only interface selected in the DNSBL configuration. So the dns name I am talking about is: webhook.logentries.com. It is not showing anything when I enter it in a browser. Also this build of pfSense is like a week old and nothing special has been done. Just a basic install and then added pfBlocker-NG package.

    Another dns name I found to show the same behavior is ping.ui.com. It is blocked by pfBlocker-NG but it does not show up in the Alerts tab. I can find the lookup in the DNS Resolver logs but nothing being reported by pfBlocker-NG. I'm sure that I am doing something wrong or looking at the wrong place. I expect pfblocker-NG to be "honest" with me and show me exactly what DNS names are being sinkholed. At the moment it seems like for some reason it is not doing that. All help is appreciated guys!

    -- Edit: added screenshot from pfsense shell

    2020-01-03 16_00_30-Command Prompt.png

    As you can see a ping solves the domain ping.ui.com to the DNSBL vip. But the entry is not logged in the dnsbl.log file on pfsense. Do I need to adjust logfile settings somewhere in pfsense?


  • Moderator

    @vjizzle
    Do you have the "TLD" option enabled (wildcard blocking)?

    If so, then I would guess that the root domain of the two domains you posted are being blocked and those should be visible in your Reports tab.

    If you click on the "+" icon to whitelist those domains, you will see instructions on how to best whitelist.

    Try this command to see what domains are in the DNSBL database:

    grep "logentries.com" /var/unbound/pfb_dnsbl.conf
    


  • @BBcan177
    I have double checked for TLD but it is off. I have never used that option. See attached screenshot for the grep command you asked. I was doing some testing an changed the DNSBL VIP to 172.16.0.1. That didn't solve my problem.

    2020-01-04 11_15_19-.png



  • Hi guys!

    I have done some more testing and it seems like pfBlockerNG is only showing the HTTP and HTTPS blocked entries. When you do a ICMP (or other type besides http and https) lookup to a host which is blocked by pfBlockerNG it doesn't show up in the Alerts Tab. Any thoughts on this? I am struggling for some time now and I would really like to have pfBlockerNG running with pfsense and go for the all-in-one solution.


  • Moderator

    There is no facility to log oher types of DNSBL blocked events at the moment. It will be possible with pfSense 2.4.5 and once the pfBlockerNG Unbound python integration is integrated.



  • Ok clear BBcan177. Do you have a timeline for when that version and the unbound option is going to be released?
    If you need help in testing, I’m here.



  • @vjizzle said in pfBlockerNG-devel not showing blocked DNS requests:

    Ok clear BBcan177. Do you have a timeline for when that version and the unbound option is going to be released?
    If you need help in testing, I’m here.

    Nevermind, I can see that there is no release date yet. Thanks BBcan. This topic can be closed I suppose.



  • @BBcan177 : the new version of pfSense is here with the python integration. Any word on the next pfBlockerNG release which will use that to show all allowed and blocked DNS requests? I'd be happy to help with testing.


Log in to reply