oisd blocklist not working

revengineer · Apr 1, 2020, 9:59 PM

Hi,
I am trying to use the oisd blck list found here. pfBlockerNG seems to process this fine, but unbound will not start afterward. Can anyone advise why this is? I cannot post the full log, as it is too long. Below is the final snippet.

Thank you.

===[ FINAL Processing ]=====================================

[ Original IP count ] [ 51967 ]

===[ Deny List IP Counts ]===========================

49753 total
18492 /var/db/pfblockerng/deny/pfB_Top_v4.txt
16387 /var/db/pfblockerng/deny/FireHOL3_IPs.txt
6052 /var/db/pfblockerng/deny/pfB_Top_v6.txt
5789 /var/db/pfblockerng/deny/BD_IPs.txt
2245 /var/db/pfblockerng/deny/ET_Block_IPs.txt
788 /var/db/pfblockerng/deny/ET_Comp_IPs.txt

===[ DNSBL Domain/IP Counts ] ===================================

431133 total
371953 /var/db/pfblockerng/dnsbl/oisd.txt
24262 /var/db/pfblockerng/dnsbl/MDS.txt
16794 /var/db/pfblockerng/dnsbl/EasyList.txt
6097 /var/db/pfblockerng/dnsbl/Cameleon.txt
5381 /var/db/pfblockerng/dnsbl/PhishTank.txt
3265 /var/db/pfblockerng/dnsbl/Adaway.txt
1752 /var/db/pfblockerng/dnsbl/yoyo.txt
751 /var/db/pfblockerng/dnsbl/MDL.txt
713 /var/db/pfblockerng/dnsbl/OpenPhish.txt
92 /var/db/pfblockerng/dnsbl/PhishTank.ip
49 /var/db/pfblockerng/dnsbl/EasyList.ip
16 /var/db/pfblockerng/dnsbl/OpenPhish.ip
8 /var/db/pfblockerng/dnsbl/DNSBL_TLD.txt

====================[ Last Updated List Summary ]==============

Mar 31 00:30 ET_Block_IPs
Mar 31 00:30 ET_Comp_IPs
Apr 1 07:04 FireHOL3_IPs
Apr 1 16:31 BD_IPs
Apr 1 17:49 pfB_Top_v4
Apr 1 17:49 pfB_Top_v6

IPv4 alias tables IP count

43858

IPv6 alias tables IP count

6052

Alias table IP Counts

49910 total
18492 /var/db/aliastables/pfB_Top_v4.txt
16387 /var/db/aliastables/pfB_FireHOL3.txt
6052 /var/db/aliastables/pfB_Top_v6.txt
5789 /var/db/aliastables/pfB_BinaryDefense.txt
3033 /var/db/aliastables/pfB_EmergingThreatsDShield.txt
157 /var/db/aliastables/pfB_DNSBLIP.txt

pfSense Table Stats

table-entries hard limit 2000000
Table Usage Count 161305

UPDATE PROCESS ENDED [ 04/01/20 17:49:17 ]

RonpfS · Apr 1, 2020, 10:33 PM

Check the pfblockerng.log, system log, resolver log, memory usage, maybe you hit the limit your system can handle going from 60000 DNSBL entries to 430000.

revengineer · Apr 2, 2020, 12:24 AM

@RonpfS Thank you for the pointer. The problem seems to be that the oisd black list contains one domain for which I also have a local host override. The dual override seems to result in the failed loading of unbound. I would like to keep the local override because I have no control of future changes to the blacklist. Is there a workaround?

RonpfS · Apr 2, 2020, 12:54 AM

Put that domain in the DNSBL Whitelist, you might also have to put it (or it's parent domain) in the TLD Exclude list to get better control over whitelisting.

revengineer · Apr 2, 2020, 1:14 AM

@RonpfS Perfect, that worked! Adding the domain with subdomains (leading ".") was sufficient to fix the problem. It took me a while to figure it out because I did a "Force Update" which was insufficient. Once I did the "Force Reload" I was good to go. Thanks for the help!

RonpfS · Apr 2, 2020, 1:30 AM

Yeah sometimes you save time by clicking on the

BBcan177 · Apr 2, 2020, 1:52 AM

@revengineer
The is a log snippet above that to show the processing of that feed and the restart of Unbound. Take a look at those two sections of the pfblockerng.log.