DNSBL DNS Wiszard configuration on pfsense broken?



  • I just installed pfBlockerNG-devel (2.2.5_34) on pfSense 2.4.5 and could not get DNSBL to work (resolve "filtered" addresses to 10.10.10.1 instead of giving me the real IP). The logs don't show anything wierd. In digging I noticed that the wizard put a configuration line in the DNS resolver configuration:

    server:include: /var/unbound/pfb_dnsbl.*conf

    This line does resolve to pfb_dnsbl.conf in the console but there's just that one file so why the wild card? Also I'm wondering if that file is getting resolved the way it's written in the configuration because...

    I looked in /var/unbound and found two files that are related to pfb_dnsbl and they are:

    1 - pfb_dnsbl.conf - filled with A references resolved to 10.10.10.1 (the pfBlockerNG-devel) Web Server IP

    2 - pfb_dnsbl_lighty.conf - the configuration file for the lighttpd server

    If I change the server:include to point to the pfb_dnsbl.conf by removing the wildcard "*", the terminal command for 'host -T A badserver example' seems to work (resolves bad addresses to 10.10.10.1)

    Is the wizard configuration not behaving as expected or am I not seeing something?

    Thanks in advance



  • Hello!

    This line does resolve to pfb_dnsbl.conf in the console but there's just that one file so why the wild card?

    Depending on which options you have enabled on the Pfb -> DNSBL -> DNSBL SafeSearch options page, you may end up with additional pfb_dnsbl.*conf files, such as :

    pfb_dnsbl.firefoxdoh.conf
    pfb_dnsbl.safesearch.conf
    pfb_dnsbl.youtube_restrict.conf
    pfb_dnsbl.youtube_restrictmoderate.conf

    You can check to make sure that the hostname you feel should get "blocked" is actually in the list with something like :

    grep -i badhost /var/unbound/pfb_dnsbl.conf

    John



  • @serbus Thanks, that explains the wildcard.

    I was indeed testing against a "blocked" domain obtained from the pfb_dnsbl.conf list so the fact that my system seemed to start working after changing that configuration line in the DNS resolver was purely coincidental. Something else is at play. Appreciate your input!

    Bill



  • Hello!

    It could be that there was a hiccup during the update after the initial install/wizard. Pfb uses the Update process to download/update & assemble the dnsbl feeds into a usable file. Some of these parts can be found in /var/db/pfblockerng/dnsbl/ and /usr/local/pkg/pfblockerng/dnsbl_tld

    You can always manually run an update, or wait for cron, and View the results on the Update page to make sure everything is copacetic.

    John



  • @serbus yes, I did force updates but thanks again, every little bit of info helps. kind of a black box this bugger. I searched for the source but so far no joy.



  • Hello!

    I searched for the source but so far no joy.

    Some of the pfb heavy lifting can be found in :

    /usr/local/www/pfblockerng/pfblockerng.php
    /usr/local/pkg/pfblockerng/pfblockerng.inc

    John



  • EDIT: I finally figured out what was going on with pfBlockerNG-devel and for other folks using OpenVPN that requires DNS forwarding in the resolver this may help you. There are many comments suggesting to aovid putting DNS servers in pfSense general setup there needs to be a different method if you need these for OpenVPN cases. Since my DNS servers (in General) are required and the forwarding turned on in the resolver setup is also required I needed to force all non-LAN bound DNS to the resolver as in:

    https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

    And then add a rule following this one to allow DNS to the LAN Gateway from within the LAN. Finally a further rule later to allow DNS outbound over the VPN Gateway Group (or VPN Gateway if you only have a single outbound VPN client). I should note that the DNS is set to go out on VPN client in the resolver configuration.

    HTH,
    Bill


Log in to reply