pfBlockerNG in an Active Directory environment
-
I think I'm doing something wrong. IPv4 blocking works great (we don't use IPv6 for anything), but DNSBL blocking doesn't work.
We have a local Active Directory domain controlled by two DNS servers, which are behind pfSense. All devices use those servers for DNS. I've configured pfSense with those servers and set DNS Resolution Behavior to "Use local DNS, fall back to remote DNS servers" in System/General Setup.
I've enabled DNS Resolver, and set the LAN interface as the listener, and set the Outgoing Network Interfaces to "All".
pfBlockerNG-devel/DNSBL is set to Unbound mode, and resolver live sync, and the VIP type is IP Alias.
I had thought that pfBlockerNG makes its own DNS queries and then blocks access based on IPv4 addresses obtained from DNS resolution, but I'm wondering if that's correct.
The Active Directory servers do not query pfSense for DNS resolution. They query internet-based DNS servers directly, but I have the feeling that is why I can access FQDNs in any DNSBL list from any workstation. Am I correct, or am I missing something else?
pfSense is running on a powerful machine, so I could probably use it for all outside DNS queries if I have to. Is that what I must do?
I'll be grateful for any help.
-
@eveningstarnm said in pfBlockerNG in an Active Directory environment:
The Active Directory servers do not query pfSense for DNS resolution. They query internet-based DNS servers directly, but I have the feeling that is why I can access FQDNs in any DNSBL list from any workstation. Am I correct
That is correct. Set the pfSense as the forwarder in both AD DNS servers and (I'd suggest) uncheck the option in them to use root servers if the forwarder is unavailable. Otherwise they will bypass pfBlocker and look domains up directly.
pfSense will cache queries anyway, as will AD DNS, so the load shouldn't be all that high.
-
@steveits Thank you. I've configured pfSense as the outbound DNS resolver for the LAN. LAN devices are still configured to resolve through the Active Directory domain controllers, and only the domain controllers can request DNS resolutions from pfSense
That also required configuring zone overrides, certificates, and a bunch of other stuff. In particular, I had to assure that resolutions of names on the local domain were directed to the AD domain controllers -- and ONLY to the AD domian controllers. We were using pfSense only as a filter and not to provide any services (such as DNS resolution) directly to LAN devices, but it's working.
-
@eveningstarnm I too am running an AD domain (at home, not a business) and making sure that clients go to the AD DNS only can be a pain, with both Firefox and Chrome now able to do DOT and DOH (DNS over TLS and DNS over HTTPS) directly, bypassing what is set via DHCP as the DNS servers. If you have several networks/VLANS, you can easily block port 53 and 853 (or not open them if using allow-only-port-rules as I have). Port 443 is another beast, can't block that. There are several threads here about using the public DNS PFBlocker lists to block public DNS servers by IP and DNS so that non domain aware stuff (phones, Kindles...) can't do their own DNS despite what you set in DHCP. I added the Firefox and Chrome ADMXs into Active Directory, and used Group Policy to turn off DOT and DOH in those browsers for the domain-aware hosts. All the work you do in PFBLOCKER means nothing if Firefox uses it's own DNS. I also had to add a NAT port redirect for my IOT VLAN, that grabs all port 53 that is NOT going to my DNS server alias, and directs it on 53 to my server alias. I wish it was a simple affair but all the IOT I have around here just does it's own thing with DNS otherwise.
-
@tzvia Yeah, it is definitely /not/ easy to get pfSense and AD to play nice together. We just decided to put all of our IoT stuff on a separate physical network. The HVAC systems all have failsafes, and if something goes wrong with the cameras, we call the police. Besides, our files are more important to us.
But it would help if there was better control in Unbound over what servers it uses for resolution requests on different domains or networks.
-
@eveningstarnm said in pfBlockerNG in an Active Directory environment:
better control in Unbound over what servers it uses for resolution requests on different domains or networks
Are you looking for something different than a domain override pointing to the local DNS server? Or trying to use that only for certain networks? (which I don't see how to do at least in the GUI)
-
@steveits Not different, but better. For instance, when I request a reverse lookup for an IP address that is reached on the LAN interface, the request gets sent to DNS servers specified in System\General, and it fails. But if I specify my local AD DNS Servers in System\General in order to accommodate local reverse lookups (which Domain Overrides don't map), I create a loop.
Some traffic is not being routed properly.
-
@eveningstarnm said in pfBlockerNG in an Active Directory environment:
reverse lookup
I don't know that I've done it but one of the examples on the domain overrides section text is "1.168.192.in-addr.arpa"...does that not work?
-
For things like "ping -a 192.168.50.124" I just needed to have the reverse zone properly setup in DNS (Server 2016), and a DOMAIN OVERRIDE in DNS RESOLVER/GENERAL for 50.168.192.in-addr.arpa, pointing to a DC. I also put a domain override for the domain name pointing to the FSMO. I have no DNS servers specified on the SYSTEM/GENERAL tab.
-
@tzvia Thank you! I should have thought about adding in-addr.arpa to domain overrides. I added one for each 24-bit subnet, and that did the job.
