Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL DNS Wiszard configuration on pfsense broken?

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 3 Posters 954 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cayossarian
      last edited by cayossarian

      I just installed pfBlockerNG-devel (2.2.5_34) on pfSense 2.4.5 and could not get DNSBL to work (resolve "filtered" addresses to 10.10.10.1 instead of giving me the real IP). The logs don't show anything wierd. In digging I noticed that the wizard put a configuration line in the DNS resolver configuration:

      server:include: /var/unbound/pfb_dnsbl.*conf

      This line does resolve to pfb_dnsbl.conf in the console but there's just that one file so why the wild card? Also I'm wondering if that file is getting resolved the way it's written in the configuration because...

      I looked in /var/unbound and found two files that are related to pfb_dnsbl and they are:

      1 - pfb_dnsbl.conf - filled with A references resolved to 10.10.10.1 (the pfBlockerNG-devel) Web Server IP

      2 - pfb_dnsbl_lighty.conf - the configuration file for the lighttpd server

      If I change the server:include to point to the pfb_dnsbl.conf by removing the wildcard "*", the terminal command for 'host -T A badserver example' seems to work (resolves bad addresses to 10.10.10.1)

      Is the wizard configuration not behaving as expected or am I not seeing something?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • S
        serbus
        last edited by serbus

        Hello!

        This line does resolve to pfb_dnsbl.conf in the console but there's just that one file so why the wild card?

        Depending on which options you have enabled on the Pfb -> DNSBL -> DNSBL SafeSearch options page, you may end up with additional pfb_dnsbl.*conf files, such as :

        pfb_dnsbl.firefoxdoh.conf
        pfb_dnsbl.safesearch.conf
        pfb_dnsbl.youtube_restrict.conf
        pfb_dnsbl.youtube_restrictmoderate.conf

        You can check to make sure that the hostname you feel should get "blocked" is actually in the list with something like :

        grep -i badhost /var/unbound/pfb_dnsbl.conf

        John

        Lex parsimoniae

        C 1 Reply Last reply Reply Quote 0
        • C
          cayossarian @serbus
          last edited by

          @serbus Thanks, that explains the wildcard.

          I was indeed testing against a "blocked" domain obtained from the pfb_dnsbl.conf list so the fact that my system seemed to start working after changing that configuration line in the DNS resolver was purely coincidental. Something else is at play. Appreciate your input!

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            serbus
            last edited by serbus

            Hello!

            It could be that there was a hiccup during the update after the initial install/wizard. Pfb uses the Update process to download/update & assemble the dnsbl feeds into a usable file. Some of these parts can be found in /var/db/pfblockerng/dnsbl/ and /usr/local/pkg/pfblockerng/dnsbl_tld

            You can always manually run an update, or wait for cron, and View the results on the Update page to make sure everything is copacetic.

            John

            Lex parsimoniae

            C 1 Reply Last reply Reply Quote 0
            • C
              cayossarian @serbus
              last edited by cayossarian

              @serbus yes, I did force updates but thanks again, every little bit of info helps. kind of a black box this bugger. I searched for the source but so far no joy.

              C 1 Reply Last reply Reply Quote 0
              • S
                serbus
                last edited by

                Hello!

                I searched for the source but so far no joy.

                Some of the pfb heavy lifting can be found in :

                /usr/local/www/pfblockerng/pfblockerng.php
                /usr/local/pkg/pfblockerng/pfblockerng.inc

                John

                Lex parsimoniae

                1 Reply Last reply Reply Quote 0
                • C
                  cayossarian @cayossarian
                  last edited by

                  EDIT: I finally figured out what was going on with pfBlockerNG-devel and for other folks using OpenVPN that requires DNS forwarding in the resolver this may help you. There are many comments suggesting to aovid putting DNS servers in pfSense general setup there needs to be a different method if you need these for OpenVPN cases. Since my DNS servers (in General) are required and the forwarding turned on in the resolver setup is also required I needed to force all non-LAN bound DNS to the resolver as in:

                  https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

                  And then add a rule following this one to allow DNS to the LAN Gateway from within the LAN. Finally a further rule later to allow DNS outbound over the VPN Gateway Group (or VPN Gateway if you only have a single outbound VPN client). I should note that the DNS is set to go out on VPN client in the resolver configuration.

                  HTH,
                  Bill

                  1 Reply Last reply Reply Quote 1
                  • T
                    themagicm
                    last edited by

                    @cayossarian
                    Thanks! I was having the same issue. Things just werent being resolved to the VIP. Ended up following your above post. Thanks!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.