Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    disable reverse lookups (PTR) and some odd dns

    Scheduled Pinned Locked Moved pfBlockerNG
    2 Posts 1 Posters 804 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      donutjustice
      last edited by

      I have pfblockerNG installed (and DNSBL disabled). I send all DNS to another host. The pfblocker is doing a fine job getting hourly threat lists and I can see various hosts in the reports.

      I would like to eliminate the reverse lookups. I think all of these are hosts sending me packets and I get hundreds of them for each address. Many of them have no PTR record (making it a pointless lookup) and in case the other end is coorrelating, I don't want them to use my reverse lookup for any sort of recon or statistics.

      I have not found a way to turn this off. So, I could use some direction if this is possible.

      Additionally, pfsense is making a lot of repeat lookups when doing something ordinarly like looking up threat feeds. For instance...

      2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
      2023-04-14 16:15:01 A www.spamhaus.org (cache)
      2023-04-14 16:15:01 [CNAME] www.spamhaus.org (cache)
      2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
      2023-04-14 16:15:01 A www.spamhaus.org (cache)
      2023-04-14 16:15:01 [CNAME] www.spamhaus.org (cache)
      2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
      2023-04-14 16:15:01 A www.spamhaus.org (cache)
      2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
      2023-04-14 16:15:01 A www.spamhaus.org (cache)
      2023-04-14 16:15:01 [CNAME] www.spamhaus.org (cache)
      2023-04-14 16:15:01 AAAA www.spamhaus.org (cache)
      2023-04-14 16:15:01 A www.spamhaus.org (answered)
      2023-04-14 16:15:01 [CNAME] www.spamhaus.org (answered)
      2023-04-14 16:15:01 AAAA www.spamhaus.org (answered)
      2023-04-14 16:15:01 A www.spamhaus.org (answered)

      It looks like it is requesting the same thing 4x without waiting for a reply.

      In this particular case it looked up www.spamhaus.org 470 times in 24 hours when it sure seems like 48 (or 72) would be appropriate. And each threat feed has 100s of lookups (most are in the 400s) with snort being the only outlier at 124.

      I was just wondering if someone could explain these numbers to me (and possibly help me tune them down).

      Thank you.

      pfsense version 2.6.0
      pfBlockerNG version 3.2.0_4

      1 Reply Last reply Reply Quote 0
      • D
        donutjustice
        last edited by

        I hoped there was a configuration setting in pfblocker to disable reverse lookups and repeat lookups, but it has been a while since I posted to the forums and there have been no replies, so I assume there is not.

        I created a workaround because I enjoy tinkering, but, unless you have my same use case, there is no reason to take this route. Please just stick with PFBlocker.

        That said, I uninstalled pfblocker and did the following...

        [1] get the priority 1 threat lists
        [2] normalize the output and put it on a webserver
        [3] use a pfsense firewall alias and fetch it as a URL table [gui]
        [4] update this to hourly on pfsense cron [cli]
        [5] change the file time hourly [cli]
        [6] create firewall rules to block using this alias [gui]

        NOTE: I used a debian linux machine for steps 1-2 (because I already had it generating other URL lists and it was just easier to do it there). Steps 3-6 are done on the pfsense.

        I had fun doing it and I learned a few things about how pfsense works in the process. If you want the details of how I did it in case you need to do something similar, then read on. Otherwise, this forum post is probably done.

        Cheers

        [STEP 1] script 1 (feedlist-fetch.sh)

        #!/bin/bash
        
        # start in the right place
        cd /home/donutjustice/PFSENSE-scripts/quietblocker/
        
        # get the lists
        curl -s https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt > ips-feodo.txt 
        curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt > ips-sslbl.txt
        curl -s https://cinsarmy.com/list/ci-badguys.txt > ips-cinsarmy.txt
        curl -s https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt > ips-ET-emerging.txt
        curl -s https://rules.emergingthreats.net/blockrules/compromised-ips.txt > ips-ET-compromised.txt
        curl -s https://isc.sans.edu/block.txt > ips-isc-block.txt
        curl -s https://www.spamhaus.org/drop/drop.txt > ips-spamhaus-drop.txt
        curl -s https://www.spamhaus.org/drop/edrop.txt > ips-spamhaus-edrop.txt
        curl -L -s https://talosintelligence.com/documents/ip-blacklist > ips-talos.txt
        

        [STEP 2] script 2 (quietblocker.sh)

        #!/bin/bash
        #
        # threat feed data cleanup
        # copy to web server
        #
        
        # grab data from all the lists
        cd /home/donutjustice/PFSENSE-scripts/quietblocker/
        `/home/donutjustice/PFSENSE-scripts/quietblocker/feedlist-fetch.sh`
        sleep 35
        
        # cleanup the output
        cat ips-cinsarmy.txt > BUILD.txt
        cat ips-ET-compromised.txt >> BUILD.txt
        cat ips-talos.txt >> BUILD.txt
        grep -v \# ips-ET-emerging.txt >> BUILD.txt 
        grep -v \# ips-feodo.txt  >> BUILD.txt
        grep -v \# ips-sslbl.txt >> BUILD.txt
        grep -v '^;' ips-spamhaus-drop.txt | cut -d\; -f1 >> BUILD.txt
        grep -v '^;' ips-spamhaus-edrop.txt| cut -d\; -f1 >> BUILD.txt
        grep -v \# ips-isc-block.txt | awk -F '\t' '{ print $1 "/24" }' >> BUILD.txt
        
        # move it to the local webserver
        cat BUILD.txt | sort -u > /var/www/html/quietblocker/quietblocker.html
        

        This script is run hourly on the debian box. It runs 5 minutes before pfsense grabs the URL to ensure the threatlist is fresh.

        The local crontab looks like this:

        25 * * * * /home/donutjustice/PFSENSE-scripts/quietblocker/quietblocker.sh
        

        [STEP 3] In the gui set pfsense firewall alias to fetch the URL. I named mine "quietblocker" (relevant in step 5 where this becomes quietblocker.txt. If you name yours something different, just make sure it matches in step 5.) and the URL looks like this

        http://10.1.1.100/quietblocker/quietblocker.html   /1
        

        [STEP 4] ssh to pfsense and edit /etc/crontab

        EDIT the "urltables" line from a 12 to a *. It should look like this

        30      *       *       *       *       root    /usr/bin/nice -n20 /etc/rc.update_urltables
        

        [STEP 5] keep editing /etc/crontab (just like step 4)

        ADD a new crontab line (I suggest below the urltables). It should look like this.

        35      *       *       *       *       root    /usr/bin/touch -t 1001011230 /var/db/aliastables/quietblocker.txt
        

        This step is necessary because the urltables script checks the timestamp on the file and won't update anything less than 1 day old. This just changes the date, so it is always old enough. I preferred this method to monkeying with the urltables script.

        [STEP 6] Now create firewall rules to meet your needs using this firewall alias.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.