Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Hmm? Not sure if you can.. @BBcan177 be the man to know for sure - and also have the ability to allow feature to turn off resolution in the logs?
Thanks for the suggestion! looks like turning off logging for the lists in IPv4, IPv6, and GeoIP has resolved this. Now I dont see those scanner domains I was seeing before.
These blocks would still show up in pfsense firewall logs right? Although not with the name of the list any more? I noticed now I see a rule number where I used to see the name of the list.
Also, is there a best practice for GeoIP filtering for a home user as myself? I previously had to deny inbound only from all countries then changed it to deny both for certain because of the dns queries made to china for example (although this didnt stop those).
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Hmm? Not sure if you can.. @BBcan177 be the man to know for sure - and also have the ability to allow feature to turn off resolution in the logs?
actually, after turning off the logging of the lists, my firewall logs are no longer being updated anymore :/
-
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
after turning off the logging of the lists, my firewall logs are no longer being updated anymore :/
Which rules - pfblocker created rules? Then no they wouldn't because that rule was set to not log. I have rules that don't log as well.
But not logging something that resolves has nothing to do with what is in the alias.. They would still be blocked by the rule where that alias is used if that rule is set to log. But the normal firewall log does not resolve unless you click the little resolve button while viewing the log.. Those reports your showing in pfblocker for deny or permit are not really the firewall log..
is there a best practice for GeoIP filtering for a home user as myself?
What are you wanting to do.. Do you have port forwards? To be honest I wouldn't block based on geoip ever outbound. How do you know there is never going to be site in say china or ru that you want to visit? Do you know where your site you want to go to is hosted? Could be anywhere on the planet..
The only use I personally see for geoip in home - is what you allow to your port forwards. Out of the box everything is blocked anyway. If I allow something - if you don't want to allow the planet, then limit the list to what you want to allow, and not worry about deny.. If not allowed - then its denied by default anyway.
Example - I have zero users outside of US for my plex, so in my forward I only allow US - well not exactly true I do allow my monitor IPs, they could be global - never know so its best to get the IPs they are going to use and add them to your allow list. And I recently added Morocco to my allow - since one of my users is in Casablanca teaching for a couple of years.
Allow what you want, vs trying to deny all the "possible" bad is normally better - unless you have a "known" list of bad.. Which is rarely going to be a whole geo based anything.. Can you say that RU is "all" bad - or china is "all" bad? I sure can't.. Maybe for what your doing it is? But your list is prob going to be smaller if you just "allow" what you want vs trying to block every country you think "could" be bad.
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
They would still be blocked by the rule where that alias is used if that rule is set to log. But the normal firewall log does not resolve unless you click the little resolve button while viewing the log.. Those reports your showing in pfblocker for deny or permit are not really the firewall log..
Okay now I understand. I was used to seeing them also show up there as well. In this case is there a reason to have pfBlocker block inbound traffic, and let pfsense "Default deny rule" take care of it? Do the default deny rules take precendence over pfBlockers floating deny rules?
I had previously turned off logging of "default deny rules".
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
after turning off the logging of the lists, my firewall logs are no longer being updated anymore :/
Which rules - pfblocker created rules? Then no they wouldn't because that rule was set to not log. I have rules that don't log as well.
But not logging something that resolves has nothing to do with what is in the alias.. They would still be blocked by the rule where that alias is used if that rule is set to log. But the normal firewall log does not resolve unless you click the little resolve button while viewing the log.. Those reports your showing in pfblocker for deny or permit are not really the firewall log..
is there a best practice for GeoIP filtering for a home user as myself?
What are you wanting to do.. Do you have port forwards? To be honest I wouldn't block based on geoip ever outbound. How do you know there is never going to be site in say china or ru that you want to visit? Do you know where your site you want to go to is hosted? Could be anywhere on the planet..
The only use I personally see for geoip in home - is what you allow to your port forwards. Out of the box everything is blocked anyway. If I allow something - if you don't want to allow the planet, then limit the list to what you want to allow, and not worry about deny.. If not allowed - then its denied by default anyway.
Example - I have zero users outside of US for my plex, so in my forward I only allow US - well not exactly true I do allow my monitor IPs, they could be global - never know so its best to get the IPs they are going to use and add them to your allow list. And I recently added Morocco to my allow - since one of my users is in Casablanca teaching for a couple of years.
Allow what you want, vs trying to deny all the "possible" bad is normally better - unless you have a "known" list of bad.. Which is rarely going to be a whole geo based anything.. Can you say that RU is "all" bad - or china is "all" bad? I sure can't.. Maybe for what your doing it is? But your list is prob going to be smaller if you just "allow" what you want vs trying to block every country you think "could" be bad.
Makes complete sense. Honestly I have no port forwards set at all at the moment. I do plan on starting homelab to learn more like setting up kubernetes server on bare metal, learn more about networking, setup a plex server, etc, but even then I dont see my self exposing any public facing services.
-
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
In this case is there a reason to have pfBlocker block inbound traffic
Not really - not if you don't have any port forwards. Out of the box all unsolicited inbound traffic is denied anyway..
Until such times you create a port forward, or allow something to hit your wan with a rule - like ssh or vpn, or ping.. Unless you create a rule that would allow something.. There is zero reason to create any specific block rules.. Unless for example you were not logging the default deny - and you wanted to log specific stuff.
I had previously turned off logging of "default deny rules".
If that is the case - and there is "something" you want to log.. Then yeah you can create specific rules on the wan to log those "somethings" you want to see..
edit: as example... I have turned off default deny logging. And only log these specific rules on my wan
So I log stuff that would hit my plex, vpn and 443 (have some stuff forwarded to https site I host for requesting stuff on my plex). But like ping I allow but do not log, same with ntp services I provide to ntp pool. My son's network talks to my unifi controller, and my pihole - no real reason to log these allows. It could only ever be his IP per the source IP alias.
Then I log tcp SYN only.. if anything else like a broadcast or a Ack, etc. its not logged - only something send a syn is logged. The little gear icon means I have edited advanced stuff on the rule (only syn in my case). And then I log some common UDP ports that would be of interest to me if seeing traffic on those ports..
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Not really - not if you don't have any port forwards. Out of the box all unsolicited inbound traffic is denied anyway..
Unless for example you were not logging the default deny - and you wanted to log specific stuff.
Got it, as long as everything is blocked, does it make sense to have it log both pfBlocker denies, as well as the "Default deny rules"?
Then yeah you can create specific rules on the wan to log those "somethings" you want to see..
In the end I think this is what I would like, hopefully its doable:
Essentially I am more concerned about logging any unsolicited outbound connections to malicious IPs found in the block lists. As I saw, having unbound resolve denies, makes a lot of noise in my dns reply logs. Is this something that is possible to do? Dont log inbound, but log outbound with pfBlockerNG
-
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
but log outbound with pfBlockerNG
Yeah just create a rule with what you want to log on outbound..
-
@johnpoz said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Yeah just create a rule with what you want to log on outbound..
Understood.
One last question regarding the DNSBL webserver.
Is my understanding correct that these are rejected domains because they are on a dns block list? Currently, I keep seeing only this and the incoming.telemetry.mozilla org domains (I use Firefox) Unsure about the launchdarkly one though.
Lastly, I just want to say THANK YOU to you and everyone who chimed in on this. Definitely learned a lot about how unbound works, and has put my mind at ease. Looking forward to learning more about pfsense :)
-
@code4food23 said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Is my understanding correct that these are rejected domains because they are on a dns block list?
Ask it !
grep -R 'launchdarkly' /var/db/pfblockerng/*
I found :
/var/db/pfblockerng/dnsbl/StevenBlack_ADs.txt:,events.launchdarkly.com,,0,StevenBlack_ADs,DNSBL_ADs_Basic /var/db/pfblockerng/dnsbl/StevenBlack_ADs.txt:,mobile.launchdarkly.com,,0,StevenBlack_ADs,DNSBL_ADs_Basic /var/db/pfblockerng/dnsblalias/DNSBL_ADs_Basic:,events.launchdarkly.com,,0,StevenBlack_ADs,DNSBL_ADs_Basic /var/db/pfblockerng/dnsblalias/DNSBL_ADs_Basic:,mobile.launchdarkly.com,,0,StevenBlack_ADs,DNSBL_ADs_Basic /var/db/pfblockerng/dnsblorig/OISD.orig:mobile.launchdarkly.com /var/db/pfblockerng/dnsblorig/StevenBlack_ADs.orig:# [launchdarkly.com] /var/db/pfblockerng/dnsblorig/StevenBlack_ADs.orig:0.0.0.0 events.launchdarkly.com /var/db/pfblockerng/dnsblorig/StevenBlack_ADs.orig:0.0.0.0 mobile.launchdarkly.com /var/db/pfblockerng/top-1m.csv:44380,launchdarkly.com
So I tend to to say : definitely yes.
Btw : Having unbound return "10.10.10.1", the (VIP) IP, the pfBlockerNG web server that will try to tell you that the domain is blocked ,is close to completely useless. The oage won't show, the browser shows a generic 'https error' , surely not the build in pfBlockerNG "can't visit that domain" page.
This would have work in the past.
If it was a web browser request, then your browser won't accept this redirect.
If the origin was some API call to a remote server, it will just fail, probably retry, and burn useless cycles. Give a more definite "0.0.0.0" so it knows the answer is "No". -
@gertjan said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:
Ask it !
Wow seriously thank you once more! Learned something new once again.
Btw : Having unbound return "10.10.10.1", the (VIP) IP, the pfBlockerNG web server that will try to tell you that the domain is blocked ,is close to completely useless.
Thanks again. I was unsure about it, so I left it as the default. Your explanation definitely cleared that up.