Can't get DNSBL to work



  • Hi,

    Recently swapped out my hardware and decided to build from a fresh install rather than load in my old config. Had PFBlockerNG set up fine before and was working, can't seem to get it to work this time. My DNSBL is stuck showing as out of sync. I've tried stopping Unbound and running a force update but no joy.

    I think the culprit is SBL_ADS as I get "[ SBL_ADs ] Downloading update .. CF 522 Connection Timed Out" when trying to force update. In particular squidblocker seems to be the issue, I put this entry to OFF and reran the force update, but I still get the yellow exclamation mark for out of sync and Ads are not being blocked. I can't ping squidblacklist.

    Driving me slightly mad as was working perfectly before!



  • @SteelCityColt said in Can't get DNSBL to work:

    Hi,

    Recently swapped out my hardware and decided to build from a fresh install rather than load in my old config. Had PFBlockerNG set up fine before and was working, can't seem to get it to work this time. My DNSBL is stuck showing as out of sync. I've tried stopping Unbound and running a force update but no joy.

    I think the culprit is SBL_ADS as I get "[ SBL_ADs ] Downloading update .. CF 522 Connection Timed Out" when trying to force update. In particular squidblocker seems to be the issue, I put this entry to OFF and reran the force update, but I still get the yellow exclamation mark for out of sync and Ads are not being blocked. I can't ping squidblacklist.

    Driving me slightly mad as was working perfectly before!

    The SBL_ADS list is down. It have been for several days now. For the time being, just set it to OFF.

    Have you signed up for a Maxmind license and have you entered your license number in the correct location?

    If so, then run the following from a command prompt and it should sync up the DNSBL lists: "php /usr/local/www/pfblockerng/pfblockerng.php dc", copy and paste without the quotes.



  • Thanks for your reply.

    Yes had a Maxmind license from before, regenerated and placed key into PFBlocker settings as before. I ran the suggested commanded from the command prompt but still no dice.

    Having removed SBL-ADS, this is now what I get when I run a force update:

    UPDATE PROCESS START [ 02/15/20 14:22:45 ]

    ===[ DNSBL Process ]================================================

    Loading DNSBL Statistics... completed
    Loading DNSBL Whitelist... completed

    [ EasyList ] exists.
    [ EasyPrivacy ] exists.
    [ Adaway ] exists.
    [ Cameleon ] exists.
    [ D_Me_ADs ] exists.
    [ D_Me_Tracking ] exists.
    [ hpHosts_ATS ] exists.
    [ Yoyo ] exists.
    [ Abuse_DOMBL ] exists.
    [ Abuse_URLBL ] exists.
    [ BBC_DC2 ] exists.
    [ SWC ] exists.
    [ D_Me_Malv ] exists.
    [ D_Me_Malw ] exists.
    [ ISC_SDH ] exists.
    [ MDS ] exists.
    [ MDS_Immortal ] exists.
    [ MDL ] exists.
    [ MVPS ] exists.
    [ Spam404 ] exists.
    [ SFS_Toxic_BD ] exists.
    [ AntiSocial_BD ] exists.
    Saving DNSBL database... completed

    ===[ GeoIP Process ]============================================

    ===[ IPv4 Process ]=================================================

    [ Abuse_Feodo_C2_v4 ] exists.
    [ Abuse_IPBL_v4 ] exists.
    [ Abuse_SSLBL_v4 ] exists.
    [ BBC_C2_v4 ] exists.
    [ CINS_army_v4 ] exists.
    [ ET_Block_v4 ] exists.
    [ ET_Comp_v4 ] exists.
    [ ISC_1000_30_v4 ] exists.
    [ ISC_Block_v4 ] exists.
    [ Spamhaus_Drop_v4 ] exists.
    [ Spamhaus_eDrop_v4 ] exists.
    [ Talos_BL_v4 ] exists.

    ===[ Aliastables / Rules ]==========================================

    No changes to Firewall rules, skipping Filter Reload
    No Changes to Aliases, Skipping pfctl Update

    UPDATE PROCESS ENDED



  • After a Force Update, I always run a Force Reload DNSBL or Force Reload ALL to make sure all changes are processed. 😉



  • Ah ha, when I do a force reload:

    Assembling DNSBL database... completed [ 02/16/20 08:17:20 ]
    Reloading Unbound Resolver..
    DNSBL enabled FAIL - restoring Unbound conf *** Fix error(s) and a Force Reload required! ***
    error: SSL handshake failed
    34391444536:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-244/pfSense/tmp/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:.... Not completed. [ 02/16/20 08:17:21 ]

    *** DNSBL update [ 0 ] [ 171631 ] ... OUT OF SYNC ! ***



  • Solved it guys, did some googling on that SSL error and found another post here:

    In
    /var/unbound

    Delete
    dnsbl_cert.pem
    unbound_control.key
    unbound_control.pem
    unbound_server.key
    unbound_server.pem

    Reboot and run force update/reload.

    DNSBL now up and running. Thanks for the help in diagnosing guys.