pfBlockerNG-devel Not Blocking Malvertizing on LAN

OpIT GmbH · Nov 18, 2022, 10:16 AM

Did you also add a Portforward Rule to force all DNS (Port 53) Triffic to pfSense

Gertjan · Nov 18, 2022, 7:54 PM

@steveits said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

If you just run "nslookup" it runs the program and acts

Add to that, when you run nslookup without parameters, it shows the DNS 'source' to be used.
And it it will wait with its own command line '>' so you can enter (example) knmi.nl.

C:\Users\gwkro>nslookup
Serveur par défaut :   pfSense.local.net
Address:  192.168.1.1

>

So, for me, 192.168.1.1 is where every LAN device 'should' (could) addresses itself for DNS requests.
192.168.1.1 is of course my pfSense.

Type

help

or

set all

to see more info.

newUser2pfSense · Nov 18, 2022, 7:56 PM

I'd like to start by saying that I'm NO network guru, so please allow a little Grace for the following -

With an nslookup with no options, I get the following:

With an nslookup for the google, I get the following:

With an nslookup for pfSense.local.net, I get the following:

I'm not sure if this means anything to anyone. Not sure why I got a 52. address which is nowhere near what my WAN IP address is.

newUser2pfSense · Nov 22, 2022, 1:44 PM

Now it seems like no matter what settings I choose in Firefox, what my WLAN iPhone does not display in emails, my LAN desktop does.

Gertjan · Nov 22, 2022, 1:56 PM

@newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

With an nslookup for pfSense.local.net, I get the following:

Image

I'm not sure if this means anything to anyone. Not sure why I got a 52. address which is nowhere near what my WAN IP address is.

Euh ..... pfSense.local.net was an example.
You should use your pfsense host name, and the network.

pfSense.local.net points to 52.128.23.153, that's ok.

newUser2pfSense · Nov 22, 2022, 2:12 PM

@gertjan Ok. Tried with my pfSense host name and received the following:

Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Address: 192.168.1.1

SteveITS · Nov 22, 2022, 3:29 PM

@newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

127.0.0.53

What is this IP? Usually anything 127.x.x.x is "localhost" or "myself" indicating your computer is asking itself. Especially if 192.168.1.1 is your pfSense LAN IP. Double check what DNS servers are configured on your computer, and only set 192.168.1.1.

Gertjan · Nov 22, 2022, 3:53 PM

@steveits said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

What is this IP?

Dono.

It sad : non-authoritative answer: so not pfSense.

@newUser2pfSense You should know on what system you are running the nslookup command (right ?) :

[22.05-RELEASE][admin@pfSense.whatever.net]/root: nslookup
> pfsense
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   pfsense.whatever.net
Address: 192.168.1.1
Name:   pfsense.whatever.net
Address: 2001:470:dead:beef:2::1

newUser2pfSense · Nov 22, 2022, 4:08 PM

@SteveITS I have always set 192.168.1.1 for all of my LAN computers DNS servers. I use Cloudflare DNS servers in pfSense.

@gertjan I do know which computer, and it's LAN IP address, that I'm using to run the nslookup command.

SteveITS · Nov 22, 2022, 4:18 PM

@newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

I have always set 192.168.1.1 for all of my LAN computers DNS servers

nslookup (and therefore your PC) doesn't seem to be using that...? Try giving it a specific server:

nslookup google.com 192.168.1.1

newUser2pfSense · Nov 22, 2022, 4:22 PM

@steveits Here is the output to nslookup google.com 192.168.1.1

nslookup google.com 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: google.com
Address: 172.253.122.138
Name: google.com
Address: 172.253.122.102
Name: google.com
Address: 172.253.122.139
Name: google.com
Address: 172.253.122.101
Name: google.com
Address: 172.253.122.113
Name: google.com
Address: 172.253.122.100
Name: google.com
Address: 2607:f8b0:4004:c1b::8b
Name: google.com
Address: 2607:f8b0:4004:c1b::8a
Name: google.com
Address: 2607:f8b0:4004:c1b::71
Name: google.com
Address: 2607:f8b0:4004:c1b::65

SteveITS · Nov 22, 2022, 4:26 PM

@newuser2pfsense OK. And if you try a hostname you think should be blocked what do you get?

So far what we seem to have established is your test computer is using 127.0.0.53 for its DNS not the pfSense. Perhaps some sort of VPN or security software? Whatever it is, it is likely not using the pfSense DNS Resolver and hence you are not seeing sites be blocked.

newUser2pfSense · Nov 22, 2022, 4:30 PM

@steveits pfBlockerNG-devel & Suricata are the only security packages I use on my pfSense box. I do not have any VPN software packages installed or configured in pfSense at present.

I'm not sure what you might mean by trying a hostname that I think should be blocked. Could you please provide an example and I'll give it a go?

SteveITS · Nov 22, 2022, 4:34 PM

@newuser2pfsense I meant, on your PC. Something is getting the PC to use 127.0.0.53. I'm only guessing as what it is.

re: blocked, your subject line was "pfBlockerNG-devel Not Blocking..." and you referenced email images...can you find a URL for one of those?

bingo600 · Nov 22, 2022, 6:06 PM

@steveits said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

Server: 127.0.0.53
What is this IP? Usually anything 127.x.x.x is "localhost" or "myself" indicating your computer is asking itself.

Linux systemd "DNS Resolver daemon"
It usually forwards to the "Real DNS received via DHCP", but it "annoyingly" caches "unresolved" names too.

Ie. if you have a "local DNS server" , and try to ping server3 , and get unresolvable .... You then remember that you forgot to enter server3's A record in your DNS server , and does that now.

When you now ping server3 on "whatever" it resolves , except on the machine you pinged it from , before making the A record .. It still uses the "cached unresolvable" - You have to restart the DNS Daemon or flush the cache.

Or when hit enough times ... Kick that DNS daemon to He.. , and use settings from "good ole" resolv.conf

/Bingo

newUser2pfSense · Nov 22, 2022, 6:05 PM

@steveits For pfBlockerNG-devel, with my iPhone on my WLAN, many email images get blocked which is what pfBlockerNG-devel is designed to do when you choose the feeds you wish to use (I'm sure you already know this so please forgive me). I have pfBlockerNG-devel set for all of my interfaces, so with my desktop on my LAN, no email images get blocked which is not the way it's supposed to work. I can compare side-by-side emails displayed using my iPhone on my WLAN and my desktop on my LAN and they do not appear to be the same. My desktop LAN computer shows everything and my iPhone WLAN removes images (pictures).

I wonder if there is a setting in pfBlockerNG-devel that's causing this? Just a thought.

Gertjan · Nov 23, 2022, 9:01 AM

@newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

My desktop LAN computer shows everything and my iPhone WLAN removes images (pictures).
I wonder if there is a setting in pfBlockerNG-devel that's causing this?

What is the DNS your PC uses ?
On your PC, Windows I presume, what is the output of

ipconfig /all

?
If your PC is using 1.1.1.1 or 8.8.8.8 or who ever, it will by pass the pfSense DNS, so it will by pass pfblockerng-devel.

Typically, your Windows PC should show :

Carte Ethernet Ethernet :

Suffixe DNS propre à la connexion. . . : my-network.net
   Description. . . . . . . . . . . . . . : Intel(R) Ethernet Connection (11) I219-LM
   Adresse physique . . . . . . . . . . . : A4-BB-6D-BB-A6-A1
   DHCP activé. . . . . . . . . . . . . . : Oui
   Configuration automatique activée. . . : Oui
   Adresse IPv6. . . . . . . . . . . . . .: 2001:470:1f13:dead:2::c7(préféré)
   Bail obtenu. . . . . . . . . . . . . . : mercredi 23 novembre 2022 08:26:39
   Bail expirant. . . . . . . . . . . . . : mercredi 23 novembre 2022 11:41:39
   Adresse IPv6 de liaison locale. . . . .: fe80::daa9:bcf8:99cd:717e%9(préféré)
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.1.6(préféré)
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Bail obtenu. . . . . . . . . . . . . . : mardi 22 novembre 2022 14:45:44
   Bail expirant. . . . . . . . . . . . . : jeudi 24 novembre 2022 08:26:38
   Passerelle par défaut. . . . . . . . . : fe80::92ec:77ff:fe29:392c%9
                                       192.168.1.1
   Serveur DHCP . . . . . . . . . . . . . : 192.168.1.1
   IAID DHCPv6 . . . . . . . . . . . : 346340205
   DUID de client DHCPv6. . . . . . . . : 00-01-00-01-26-59-DF-8D-BB-BB-6D-BA-16-A1
   Serveurs DNS. . .  . . . . . . . . . . : 192.168.1.1
                                       2001:470:dead:5c0:2::1
   NetBIOS sur Tcpip. . . . . . . . . . . : Activé

Sorry, french, but you'll get the picture.

so my DNS is 'pfSEnse' == 192.168.1.1 (of course) and 2001:470:dead:5c0:2::1, that's my pfSense LAN IPv6.
So pfblockerng-devel works fine for my PC.

edit :

And keep in mind : your PC is also DNS caching !
So, if you doubt, use and abuse this command a lot :

ipconfig /flushdns

newUser2pfSense · Nov 23, 2022, 6:34 PM

@Gertjan All of my desktop PCs, Linux flavors, have 192.168.1.1 hard set as their DNS server addresses which is my pfSense address. In pfSense, I've configured Cloudflare DNS servers 1.1.1.1, 1.0.0.1.

Gertjan · Nov 24, 2022, 7:59 AM

@newuser2pfsense said in pfBlockerNG-devel Not Blocking Malvertizing on LAN:

All of my desktop PCs, Linux flavors, have 192.168.1.1 hard set as their DNS server addresses which is my pfSense address.

In that case, any host name to be resolved on any of your LAN devices should wind up in the

== DNS Reply page.

Look also at the

where the red lines mean : host found in a DNSBL, so blocked.

Blocked, for me, means : let's take a listed "upu.samsungelectronics.com" (it's in the list) as an example :

C:\Users\Gauche>nslookup upu.samsungelectronics.com
Server :   pfSense.mynet.net
Address:  192.168.1.1

Name :    upu.samsungelectronics.com
Address:  0.0.0.0

so it got back 0.0.0.0 which means it was blocked.

newUser2pfSense · Nov 24, 2022, 3:20 PM

@gertjan In the pfBlockerNG > Reports > DNS Reply, I can see both my LAN and WLAN device IP addresses contacting different Domains. I'm also seeing a lot of 127.0.0.1 traffic from my router/pfSense host name to different Domains, for example:

In the pfBlockerNG > Reports > Unified, I can see blocked Destinations, for example:

My Roku is reaching out every minute, WOW! That's disturbing.

I ran an nslookup on one of the destinations listed in the Unified tab, see below:
:~$ nslookup e91869.dsca.akamaiedge.net
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.142
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.135
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.145
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.138
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.140
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.136
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.148
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.147
Name: e91869.dsca.akamaiedge.net
Address: 23.212.251.143
Name: e91869.dsca.akamaiedge.net
Address: 2600:1408:c400:11::17cd:6b45
Name: e91869.dsca.akamaiedge.net
Address: 2600:1408:c400:11::17cd:6b54