DNSBL not creating firewall rules
I am using pfBlockerNG-devel 3.0.0_15, and pfsense 2.5.0-Release.
Firewall rules are created for IPv4, but are not created for DNSBL. So nothing in DNSBL is blocked.
I have pfBlockerNG and DNSBL both enabled.
I have tried using "Unbound" and "Unbound python mode"
VIP is 10.10.10.1, internal network is 192.168...
I have tried enabling and disabling "Permit Firewall Rules" with "LAN" selected
I have tried "Global Logging/Blocking Mode" set as both "DNSBL WebServer/VIP" and "No Global mode"
I have tried with "Resolver Cache" enabled and disabled.
I have tried with "DNSBL IPs" as "disabled" and "Deny Both"
DNSBL groups has the default lists (e.g., EasyList, etc)
The lists are enabled and set to Unbound.
Yes, I have done "force reload" for "all" many times. And the lists are downloaded and updated.
DNS Forwarder is disabled and DNS Resolver is enabled to port 53
"Network Interfaces" is set to LAN, LAN IPv6 Link-Local, and Localhost
"Outgoing Network Interfaces" is set to WAN, WAN IPv6 Link-Local
"DNSSEC" is enabled
I have tried with both "Python Module" enabled and disabled.
DNS Query Forwarding is disabled
Use SSL/TLS is disabled
DHCP Registration is disabled.
Static DHCP is disabled.
The widget shows that packets are seen for DNSBL, but nothing is blocked because the firewall doesn't have any rules for them.
Websites that should be blocked do show up in the Reports->Alerts tab.
Because I was desperate, I even reinstalled pfSense from scratch. And I still can't get it working.
Can anyone help me identify what I am missing/failing to do?
@fredmcfly DNSBL Configuration
Permit Firewall Rules enable
Yes, I did that already.
Quote: "I have tried enabling and disabling "Permit Firewall Rules" with "LAN" selected"
@fredmcfly Uninstall the pfblockerNg package and then reinstall it,
configure as described in the two guides. A guide is in Italian but with screenshoots and easy to understand
I have tried to use these, but only part of it applies because I am using pfBlockerNG-devel 3.0.0_15 and the instructions at those websites use pfBlockerNG 2.x Release. So a lot of the options are no longer in version 3.0.0_15.
Yes, I reinstalled pflbockerng several times as well, in fact I even reinstalled pfSense from scratch.
I even removed version 3.0 (Keep settings was not checked) and installed 2.1.4_25 and I still cannot block websites.
@fredmcfly DNSBL doesn't need any firewall rules, it is blocked in DNS.
That makes sense. Didn't think about that. But then why aren't websites blocked?
@bob-dig But I can still access the websites.
@fredmcfly Give an example with screenshot. It is working here.
Edit: Maybe your Browser is not using the pfSense DNS but something different, maybe even DoH.
So only some of the websites are being logged. But ones that aren't blocked are not logged.
@bob-dig I agree that it is normal to have a log for a website that is blocked.
So any ideas why a website that is listed in the block list, fails to be blocked?
I have added rules to block DNS requests to the outside following this recipe.
Basically it blocks all outside DNS requests but allows requests to the local DNS Resolver.
@fredmcfly For example, you probably can't block DoH like this, so you have to check your browser settings.
Also post some screenshots what you have done and what is not working as expected.
Here are my DNSBL settings:
My blacklist feed settings:
When I do a force update, the feeds are downloaded and updated. Including my blacklist.
===[ DNSBL Domain/IP Counts ] =================================== 1221752 total 704572 /var/db/pfblockerng/dnsbl/Shallalist_porn.txt 150125 /var/db/pfblockerng/dnsbl/Maltrail_BD.txt 122595 /var/db/pfblockerng/dnsbl/C19_CTC.txt 97559 /var/db/pfblockerng/dnsbl/Shallalist_porn_v4.ip 29312 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt 28363 /var/db/pfblockerng/dnsbl/Shallalist_redirector.txt 14523 /var/db/pfblockerng/dnsbl/Shallalist_gamble.txt 14273 /var/db/pfblockerng/dnsbl/SWC.txt 10633 /var/db/pfblockerng/dnsbl/EasyList.txt 8449 /var/db/pfblockerng/dnsbl/Adaway.txt 6999 /var/db/pfblockerng/dnsbl/Spam404.txt 6827 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt 6612 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn_v4.ip 6435 /var/db/pfblockerng/dnsbl/MVPS.txt 3034 /var/db/pfblockerng/dnsbl/Shallalist_dating.txt 2507 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt 1985 /var/db/pfblockerng/dnsbl/Krisk_C19.txt 1951 /var/db/pfblockerng/dnsbl/Shallalist_models.txt 1464 /var/db/pfblockerng/dnsbl/Yoyo.txt 1180 /var/db/pfblockerng/dnsbl/Shallalist_redirector_v4.ip 1146 /var/db/pfblockerng/dnsbl/Shallalist_sex_lingerie.txt 482 /var/db/pfblockerng/dnsbl/myblacklist.txt 390 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn.txt 158 /var/db/pfblockerng/dnsbl/Shallalist_sex_education.txt 98 /var/db/pfblockerng/dnsbl/Juniper_v4.ip 42 /var/db/pfblockerng/dnsbl/Shallalist_gamble_v4.ip 23 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt 6 /var/db/pfblockerng/dnsbl/Juniper.txt 5 /var/db/pfblockerng/dnsbl/myblacklist_v4.ip 2 /var/db/pfblockerng/dnsbl/EasyList_v4.ip 1 /var/db/pfblockerng/dnsbl/Shallalist_models_v4.ip
If I look at
myblacklist_v4.txtI find the following lines as expected:
local-data: "redd.it 60 IN A 10.10.10.1" local-data: "reddit-com.poiu.icu 60 IN A 10.10.10.1" local-data: "reddit.com 60 IN A 10.10.10.1" local-data: "reddup.co 60 IN A 10.10.10.1"
But if I enter
reddit.comin my browser, I can still access it and click on links. So the website is not cached in the browser and it is not blocked.
pfSense says my DNS servers are as follows:
Any other information that may be helpful?
Here are my Firewall rules to block DNS request to ports 53 and 853, and to force DNS request to local:
DNS Resolver Settings:
So I did some experimenting and some websites in my list are indeed blocked, but other websites are not blocked even though they are listed in the file
I'm not sure why this is happening.
I added reddit.com to the DNSBL Custom_List of malicious and it worked, after pfBlocker run the usual update.
Also I don't needed any firewallrules for that, because it is all dns based.
Edit: I tried your list, problem seems to be that reddit.com is blocked, but not www.reddit.com.
I temporarily disabled my feed and added reddit.com and www.reddit.com to the DNSBL Custom_List and the website (and others) is still not blocked. (Yes, I did a force update all)
I have tried on different computers on the network and they can still access it.
I have also tried on three different browsers.
I am really confused why some sites are blocked while others are not.