DNSBL not creating firewall rules

FredMcfly · Mar 21, 2021, 1:07 AM

I am using pfBlockerNG-devel 3.0.0_15, and pfsense 2.5.0-Release.

Firewall rules are created for IPv4, but are not created for DNSBL. So nothing in DNSBL is blocked.

I have pfBlockerNG and DNSBL both enabled.
I have tried using "Unbound" and "Unbound python mode"
VIP is 10.10.10.1, internal network is 192.168...
I have tried enabling and disabling "Permit Firewall Rules" with "LAN" selected

I have tried "Global Logging/Blocking Mode" set as both "DNSBL WebServer/VIP" and "No Global mode"

I have tried with "Resolver Cache" enabled and disabled.
I have tried with "DNSBL IPs" as "disabled" and "Deny Both"

DNSBL groups has the default lists (e.g., EasyList, etc)
The lists are enabled and set to Unbound.

Yes, I have done "force reload" for "all" many times. And the lists are downloaded and updated.

DNS Forwarder is disabled and DNS Resolver is enabled to port 53
"Network Interfaces" is set to LAN, LAN IPv6 Link-Local, and Localhost
"Outgoing Network Interfaces" is set to WAN, WAN IPv6 Link-Local
"DNSSEC" is enabled
I have tried with both "Python Module" enabled and disabled.
DNS Query Forwarding is disabled
Use SSL/TLS is disabled
DHCP Registration is disabled.
Static DHCP is disabled.

The widget shows that packets are seen for DNSBL, but nothing is blocked because the firewall doesn't have any rules for them.

login-to-view

Websites that should be blocked do show up in the Reports->Alerts tab.

Because I was desperate, I even reinstalled pfSense from scratch. And I still can't get it working.

Can anyone help me identify what I am missing/failing to do?

Mar 21, 2021, 1:07 AM

@fredmcfly DNSBL Configuration
Permit Firewall Rules enable

FredMcfly · Mar 21, 2021, 1:55 AM

@antonio-briguglio
Yes, I did that already.

Quote: "I have tried enabling and disabling "Permit Firewall Rules" with "LAN" selected"

Mar 21, 2021, 2:34 AM

@fredmcfly Uninstall the pfblockerNg package and then reinstall it,

Mar 21, 2021, 2:40 AM

@fredmcfly https://www.tecmint.com/install-configure-pfblockerng-dns-black-listing-in-pfsense/

Mar 21, 2021, 2:54 AM

@antonio-briguglio
https://www.firewallhardware.it/pfblockng-filtraggio-domini-e-url/
configure as described in the two guides. A guide is in Italian but with screenshoots and easy to understand

FredMcfly · Mar 21, 2021, 3:00 AM

@antonio-briguglio
I have tried to use these, but only part of it applies because I am using pfBlockerNG-devel 3.0.0_15 and the instructions at those websites use pfBlockerNG 2.x Release. So a lot of the options are no longer in version 3.0.0_15.

FredMcfly · Mar 21, 2021, 3:03 AM

@antonio-briguglio
Yes, I reinstalled pflbockerng several times as well, in fact I even reinstalled pfSense from scratch.

FredMcfly · Mar 21, 2021, 3:30 AM

I even removed version 3.0 (Keep settings was not checked) and installed 2.1.4_25 and I still cannot block websites.

Bob.Dig · Mar 21, 2021, 9:44 AM

@fredmcfly DNSBL doesn't need any firewall rules, it is blocked in DNS.

FredMcfly · Mar 21, 2021, 1:11 PM

@bob-dig
That makes sense. Didn't think about that. But then why aren't websites blocked?

Bob.Dig · Mar 21, 2021, 1:14 PM

@fredmcfly said in DNSBL not creating firewall rules:

Websites that should be blocked do show up in the Reports->Alerts tab.

That is like it should be.

FredMcfly · Mar 21, 2021, 1:18 PM

@bob-dig But I can still access the websites.

Bob.Dig · Mar 21, 2021, 1:32 PM

@fredmcfly Give an example with screenshot. It is working here.
Edit: Maybe your Browser is not using the pfSense DNS but something different, maybe even DoH.

FredMcfly · Mar 21, 2021, 7:00 PM

@bob-dig
So only some of the websites are being logged. But ones that aren't blocked are not logged.

Bob.Dig · Mar 21, 2021, 7:06 PM

@fredmcfly said in DNSBL not creating firewall rules:

But ones that aren't blocked are not logged.

Which is again normal.

FredMcfly · Mar 21, 2021, 7:13 PM

@bob-dig I agree that it is normal to have a log for a website that is blocked.

So any ideas why a website that is listed in the block list, fails to be blocked?

I have added rules to block DNS requests to the outside following this recipe.

Basically it blocks all outside DNS requests but allows requests to the local DNS Resolver.

Bob.Dig · Mar 21, 2021, 7:16 PM

@fredmcfly For example, you probably can't block DoH like this, so you have to check your browser settings.
Also post some screenshots what you have done and what is not working as expected.

FredMcfly · Mar 21, 2021, 7:43 PM

@bob-dig
OK, I checked the browser and it is not using DoH, see figure below or click on this link:

login-to-view

Here are my DNSBL settings:
login-to-view

login-to-view

DNSL Feeds
login-to-view

My blacklist feed settings:
login-to-view
login-to-view

When I do a force update, the feeds are downloaded and updated. Including my blacklist.

===[ DNSBL Domain/IP Counts ] ===================================

 1221752 total
  704572 /var/db/pfblockerng/dnsbl/Shallalist_porn.txt
  150125 /var/db/pfblockerng/dnsbl/Maltrail_BD.txt
  122595 /var/db/pfblockerng/dnsbl/C19_CTC.txt
   97559 /var/db/pfblockerng/dnsbl/Shallalist_porn_v4.ip
   29312 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt
   28363 /var/db/pfblockerng/dnsbl/Shallalist_redirector.txt
   14523 /var/db/pfblockerng/dnsbl/Shallalist_gamble.txt
   14273 /var/db/pfblockerng/dnsbl/SWC.txt
   10633 /var/db/pfblockerng/dnsbl/EasyList.txt
    8449 /var/db/pfblockerng/dnsbl/Adaway.txt
    6999 /var/db/pfblockerng/dnsbl/Spam404.txt
    6827 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt
    6612 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn_v4.ip
    6435 /var/db/pfblockerng/dnsbl/MVPS.txt
    3034 /var/db/pfblockerng/dnsbl/Shallalist_dating.txt
    2507 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt
    1985 /var/db/pfblockerng/dnsbl/Krisk_C19.txt
    1951 /var/db/pfblockerng/dnsbl/Shallalist_models.txt
    1464 /var/db/pfblockerng/dnsbl/Yoyo.txt
    1180 /var/db/pfblockerng/dnsbl/Shallalist_redirector_v4.ip
    1146 /var/db/pfblockerng/dnsbl/Shallalist_sex_lingerie.txt
     482 /var/db/pfblockerng/dnsbl/myblacklist.txt
     390 /var/db/pfblockerng/dnsbl/Shallalist_anonvpn.txt
     158 /var/db/pfblockerng/dnsbl/Shallalist_sex_education.txt
      98 /var/db/pfblockerng/dnsbl/Juniper_v4.ip
      42 /var/db/pfblockerng/dnsbl/Shallalist_gamble_v4.ip
      23 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt
       6 /var/db/pfblockerng/dnsbl/Juniper.txt
       5 /var/db/pfblockerng/dnsbl/myblacklist_v4.ip
       2 /var/db/pfblockerng/dnsbl/EasyList_v4.ip
       1 /var/db/pfblockerng/dnsbl/Shallalist_models_v4.ip

If I look at myblacklist_v4.txt I find the following lines as expected:

local-data: "redd.it 60 IN A 10.10.10.1"
local-data: "reddit-com.poiu.icu 60 IN A 10.10.10.1"
local-data: "reddit.com 60 IN A 10.10.10.1"
local-data: "reddup.co 60 IN A 10.10.10.1"

But if I enter reddit.com in my browser, I can still access it and click on links. So the website is not cached in the browser and it is not blocked.

pfSense says my DNS servers are as follows:
login-to-view

Any other information that may be helpful?

FredMcfly · Mar 21, 2021, 7:50 PM

Here are my Firewall rules to block DNS request to ports 53 and 853, and to force DNS request to local:
login-to-view