pfBlockerNG is blocking DNS
-
I'm running 22.05. All the machines on my LAN use the pfSense software (on netgate 3100 boxes) for DNS
I updated to the latest pfBlockerNG-devel 3.1.0_4 and now DNS no longer works. I had to (temporarily, I hope) set my machines to use external DNS servers directly.
I'm using pfBlocker "out of the box" --- I didn't configure or change any settings, just installed and ran it.
If I disable pfBlocker, DNS requests work again just fine.
Any idea how I should fix this?
Thanks in advance
-
J johnpoz moved this topic from General pfSense Questions on
-
@dhjdhj said in pfBlockerNG is blocking DNS:
I'm using pfBlocker "out of the box" --- I didn't configure or change any settings, just installed and ran it.
pfblokcerng-devel, out of the box, does nothing.
That is : it doesn't load any firewall rules with lists with IP to be blocked, no DNSBL, -
@gertjan
OK - let me try again --- as I said earlier, I updated to the latest pfBlockerNGI was running an older version with the previous version of pfSense and everything was working just fine, DNS included.
I simply installed the latest package --- I changed nothing myself explicitly. That said, the installer itself said something about updating firewall rules but I don't know if it did anything, I didn't see anything different.
All that said, the above was really just background information. With pfBlocker installed, if I enabled it, the regular DNS forwarder doesn't work, the machines on my LAN can't resolve names (though they can reach actual external sites via IP addresses).
If I disable pfBlocker, then DNS works fine.
So my question stands --- what part/setting/config aspect of pfBlocker would stop the DNS process on my pfSense box from working properly.
Thanks in advance.
-
Well,
What are your settings ?
Firewall rules ?
Is unbound running ? What mode ?
Etc. -
@gertjan
Thanks again for responding, I do appreciate it.That said, I would prefer to approach this issue a little more methodically as opposed to just looking randomly through lots of rules and hundreds of settings, etc.
So some observations and consequential questions
- The previous version of pfBlocker was not blocking DNS requests
- You pointed out that installing an update doesn't change anything (no firewall rules, etc) Therefore:
- If the above are both true, then it's pointless looking at firewall rules (hence my desire to be methodical)
That said, I did observe that when one enables pfBlocker, the following rule does show up in the LAN section.
I don't see anything in that rule that actually does anything at all, so I assume it's something special that pfBlocker uses somehow --- so clearly whatever is blocking DNS is happening inside pfBlocker. Is there something specifically that I should be looking for in the configuration of pfBlocker, remembering that I didn't change ANYTHING there between the previous version and the upgrade.
Thanks
-
@dhjdhj That rule hasn't been even evaluated see the 0/0 so its not blocking anything.
pfblocker doesn't take over dns, it just loads stuff into unbound to block it. Sure it can create firewall rules if you enable that - like the rule your showing.
You mentioned forwarder - were you using the forwarder before (dnsmasq) and not the resolver unbound. For pfblocker to function unbound is need to be used.
Is unbound even running, maybe that is the problem.
If you do a dns query directly to pfsense via your fav tool, nslookup, dig, host, etc. do you get an answer, does it timeout, do you get back servfail, or nx? etc..
