• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfBlockerNG not blocking domain after first DNS lookup attempt

Scheduled Pinned Locked Moved pfBlockerNG
34 Posts 3 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vjizzle
    last edited by vjizzle Nov 29, 2023, 2:59 PM Nov 29, 2023, 2:58 PM

    Hi,

    So pfBlockerNG is not blocking a blocked domain when I retry the query again. I can reproduce this again and again on my pfSense. Running the latest version of pfSense CE (2.7.1) and the latest version of pfBlockerNG. This makes me believe that it must allow blocked domains which are being retried. Please check my output below:

    > server 192.168.100.1
    Default Server:  XXXXXXXXXX
    Address:  192.168.100.1
    
    > www.msn.com
    Server:  XXXXXXXXXX
    Address:  192.168.100.1
    
    Non-authoritative answer:
    Name:    www.msn.com
    Addresses:  ::
              0.0.0.0
    
    > www.msn.com
    Server:  XXXXXXXXXX
    Address:  192.168.100.1
    
    Non-authoritative answer:
    Name:    a-0003.a-msedge.net
    Address:  204.79.197.203
    Aliases:  www.msn.com
              www-msn-com.a-0003.a-msedge.net
    
    > www.msn.com
    Server:  XXXXXXXXXX
    Address:  192.168.100.1
    
    Non-authoritative answer:
    Name:    a-0003.a-msedge.net
    Address:  204.79.197.203
    Aliases:  www.msn.com
              www-msn-com.a-0003.a-msedge.net
    
    J 1 Reply Last reply Nov 29, 2023, 6:25 PM Reply Quote 0
    • J
      jrey @vjizzle
      last edited by Nov 29, 2023, 6:25 PM

      @vjizzle

      I can recreate this but only if the client has multiple DNS paths.

      where are you running this lookup from and;
      how exactly are you blocking?

      0.0.0.0 DNSBL on the pfSense Box,
      then the next query most likely gets the response from the second DNS Server,

      from a client System I can do this all day long and the DNSBL will always block it, in my case the 10.10.10.1 address being returned is the "you are blocked webpage"
      Screen Shot 2023-11-29 at 12.55.53 PM.png

      the client machine can only ever talk to the Resolver on pfSense if DHCP assign it there, or static, (or if you can't set it some devices that use DHCP, but don't listen to setting the DNS, in these cases if needed you can any non-complying client lookup, with a RULE)

      Anything telling the client is has another DNS will return an address at some point.

      Running the same lookup on pf shell itself will result the expected block local, but because the resolver has another DNS it can talk to (roots or others), and has to have it) you will get this.
      Screen Shot 2023-11-29 at 1.01.39 PM.png

      has everything to do with order and path DNS query traffic is allowed to follow..

      a device that as redirected with a RULE, (so one where you can't set static or DHCP can't assign the DNS) even if you did a

      dig @8.8.8.8 www.msn.com
      

      would respond with 10.10.10.1 in this case, and the dig (depending on the client would tell you it got the response from 8.8.8.8, even though it clearly did not)

      so on a client it blocks, on pf it does not and this is fine.

      V 1 Reply Last reply Nov 30, 2023, 2:06 PM Reply Quote 0
      • V
        vjizzle @jrey
        last edited by vjizzle Nov 30, 2023, 2:07 PM Nov 30, 2023, 2:06 PM

        @jrey
        I am using a Windows client with only 1 DNS server configured and pfBlockerNG is running in Python mode:

        Ethernet adapter Ethernet Instance 0 2:
        
           Connection-specific DNS Suffix  . : XXXXXX.lan
           Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
           Physical Address. . . . . . . . . : 02-11-3XXXXXXXXX
           DHCP Enabled. . . . . . . . . . . : Yes
           Autoconfiguration Enabled . . . . : Yes
           IPv4 Address. . . . . . . . . . . : 192.168.100.25(Preferred)
           Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Lease Obtained. . . . . . . . . . : zondag 26 november 2023 15:28:28
           Lease Expires . . . . . . . . . . : vrijdag 1 december 2023 15:00:32
           Default Gateway . . . . . . . . . : 192.168.100.1
           DHCP Server . . . . . . . . . . . : 192.168.100.1
           DNS Servers . . . . . . . . . . . : 192.168.100.1
           NetBIOS over Tcpip. . . . . . . . : Enabled
           Connection-specific DNS Suffix Search List :
                                              XXXXXXXX.lan
        
        C:\Users\Administrator>nslookup
        Default Server:  XXXXXXXX.lan
        Address:  192.168.100.1
        
        > www.msn.com
        Server:  XXXXXXXXXX.lan
        Address:  192.168.100.1
        
        Non-authoritative answer:
        Name:    www.msn.com
        Addresses:  ::
                  0.0.0.0
        
        > www.msn.com
        Server:  XXXXXXXX.lan
        Address:  192.168.100.1
        
        Non-authoritative answer:
        Name:    a-0003.a-msedge.net
        Address:  204.79.197.203
        Aliases:  www.msn.com
                  www-msn-com.a-0003.a-msedge.net
        

        There are no redirects etc, and DNS server is being handed out by DHCP. This is a leak as far as I can see with pfBlockerNG. If I change my DNS server to a pihole with the same blocklists as on my pfSense, blocking is working as expected.

        J 2 Replies Last reply Nov 30, 2023, 2:18 PM Reply Quote 0
        • J
          jrey @vjizzle
          last edited by jrey Nov 30, 2023, 2:19 PM Nov 30, 2023, 2:18 PM

          @vjizzle

          Okay that helps, now the second part

          how exactly are you blocking?

          I can't recreate this "leak" as you describe, it just blocks every time as expected. (edit: unless I introduce another DNS in the PATH that can respond)

          Let's take at your DNS Resolver (pfSense DNS settings in general would be helpful) and pfBlocker settings.

          V 1 Reply Last reply Nov 30, 2023, 2:36 PM Reply Quote 0
          • V
            vjizzle @jrey
            last edited by Nov 30, 2023, 2:36 PM

            @jrey

            Please find an overview of my DNS Resolver and DNSBL settings in the screenshots below.

            screenshot01.png screenshot02.png screenshot03.png screenshot04.png

            J 1 Reply Last reply Nov 30, 2023, 2:52 PM Reply Quote 0
            • J
              jrey @vjizzle
              last edited by Nov 30, 2023, 2:40 PM

              @vjizzle said

              Ethernet adapter Ethernet Instance 0 2:

              Do you have more than one network card on your Windows machine?
              Appears it might be a virtual machine?

              had to spin up my windows virtual and I don't block msn on this network, but do block twitter.com here are the results
              Screen Shot 2023-11-30 at 9.37.55 AM.png

              V 1 Reply Last reply Nov 30, 2023, 2:45 PM Reply Quote 0
              • V
                vjizzle @jrey
                last edited by Nov 30, 2023, 2:45 PM

                @jrey
                It is a virtual machine yes. Check the screenshot below showing the difference between using pihole vs pfblockerng.

                screenshot06.png

                1 Reply Last reply Reply Quote 0
                • J
                  jrey @vjizzle
                  last edited by Nov 30, 2023, 2:52 PM

                  @vjizzle

                  Okay where are you making the entry to block msn.com ?

                  You have a couple of items checked that I don't use/require however... I'll have to check and see if any of them make a difference

                  J 1 Reply Last reply Nov 30, 2023, 2:55 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @jrey
                    last edited by Nov 30, 2023, 2:55 PM

                    @jrey if you set unbound on pfsense to block something, or via pfblocker... It will be blocked every single time..

                    If your having a client get an answer, then it got it elsewhere - doh in your browser would be the most likely suspect.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    V J 2 Replies Last reply Nov 30, 2023, 3:01 PM Reply Quote 0
                    • V
                      vjizzle @johnpoz
                      last edited by Nov 30, 2023, 3:01 PM

                      @johnpoz Yes I know about the DOH in browsers indeed, that is not what this problem is in my opinion.

                      @jrey www.msn.com is blocked via CNAME a-0003.a-msedge.net. This record exists in the following blocklist: https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist

                      I just tried changing pfBlockerNG to Unboud mode and a force reload afterwards. Also cleared the dns cache of my client but still the same. pfSense/pfBlocker still resolves www.msn.com unfortunately.

                      J 1 Reply Last reply Nov 30, 2023, 3:49 PM Reply Quote 0
                      • V
                        vjizzle
                        last edited by Nov 30, 2023, 3:12 PM

                        I just tested this out from my Macbook. It's still the same problem. www.msn.com is being resolved. It doesn't matter if pfBlockerNG is in Unbound mode or Python mode. After reloading pfBlockerNG, the first query for www.msn.com results in a 0.0.0.0 answer, but every query after the first one is resolved.

                        XXXX@caldigit-dock ~ % nslookup
                        > > server 192.168.100.1
                        > Default server: 192.168.100.1
                        > Address: 192.168.100.1#53
                        > > www.msn.com
                        > Server:		192.168.100.1
                        > Address:	192.168.100.1#53
                        > 
                        > Non-authoritative answer:
                        > Name:	www.msn.com
                        > Address: 0.0.0.0
                        > > www.msn.com
                        > Server:		192.168.100.1
                        > Address:	192.168.100.1#53
                        > 
                        > Non-authoritative answer:
                        > www.msn.com	canonical name = www-msn-com.a-0003.a-msedge.net.
                        > www-msn-com.a-0003.a-msedge.net	canonical name = a-0003.a-msedge.net.
                        > Name:	a-0003.a-msedge.net
                        > Address: 204.79.197.203
                        > > 
                        > > 
                        > 
                        
                        1 Reply Last reply Reply Quote 0
                        • J
                          jrey @johnpoz
                          last edited by Nov 30, 2023, 3:15 PM

                          @johnpoz said in pfBlockerNG not blocking domain after first DNS lookup attempt:

                          doh in your browser would be the most likely suspect.

                          unlikely doh, it is an nslookup - port 53

                          it is a good question, I've preformed the same tests as the OP, and my DoH rule has never tripping, but at the same time it just blocks every single time.

                          Let's ask this @vjizzle are you loading / have you loaded msn at any point during testing in a browser.

                          as for the browser, on my windows machine
                          Screen Shot 2023-11-30 at 10.09.23 AM.png

                          and the nslookup all still returned 0.0.0.0 after. No DoH recorded.

                          but something could be loading the cache,

                          "Message cache elements are prefected..."
                          "Serve cache records even with TTL of 0"

                          Personally I've never had much use for either those settings, OP may have a requirement ?

                          1 Reply Last reply Reply Quote 0
                          • V
                            vjizzle
                            last edited by Nov 30, 2023, 3:30 PM

                            I have not loaded www.msn.com (or the CNAME) in my browser or other device in my network. The DNS options for prefetch and server TTL of 0 is only there to speedup host lookups. The same options are enabled on my pihole which is using local installed unbound in resolver mode.

                            Somehow the pfSense resolver manages to bypass pfBlockerNG or CNAME blocking fails in pfBlockerNG, looks like to me at least.

                            J 1 Reply Last reply Nov 30, 2023, 3:43 PM Reply Quote 0
                            • J
                              johnpoz LAYER 8 Global Moderator @vjizzle
                              last edited by johnpoz Nov 30, 2023, 3:52 PM Nov 30, 2023, 3:43 PM

                              @vjizzle said in pfBlockerNG not blocking domain after first DNS lookup attempt:

                              CNAME blocking fails in pfBlockerNG

                              you could have some problem with something looking up the cname but not the original that is blocked..

                              ;; QUESTION SECTION:
                              ;www.msn.com.                   IN      A
                              
                              ;; ANSWER SECTION:
                              www.msn.com.            11194   IN      CNAME   www-msn-com.a-0003.a-msedge.net.
                              www-msn-com.a-0003.a-msedge.net. 56 IN  CNAME   a-0003.a-msedge.net.
                              a-0003.a-msedge.net.    56      IN      A       204.79.197.203
                              

                              Blocking msn.com doesn't prevent lookup of a-msedge.net.

                              If I wanted to block msn.com what I would do is put this directly in unbound custom box, since I don't use blocking in pfblocker..

                              local-zone: "msn.com" always_nxdomain

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              J 1 Reply Last reply Nov 30, 2023, 4:05 PM Reply Quote 0
                              • J
                                jrey @vjizzle
                                last edited by Nov 30, 2023, 3:49 PM

                                @vjizzle said in pfBlockerNG not blocking domain after first DNS lookup attempt:

                                www.msn.com is blocked via CNAME a-0003.a-msedge.net

                                look above when I ran the test the canonical name returned is not on the list you provided.

                                I'd like to see the specific setup you have for this list you are providing.
                                (ie the DNSBL setup containing that list)

                                Hopefully you have it added under an entry within DNSBL Groups?

                                also in the pfblockerng.log there should be a section showing it being processed.
                                provide that log section please.
                                anything in the error.log (pfblockerng)

                                then most likely what you are seeing is that www.msn.com is not on the list, and you are returning the CNAME on subsequent queries some of those are multi-named

                                not also that the CNAME I returned is www.msn.com.a-0003.a-msedge.net
                                and the CNAME you see is a-0003.a-msedge.net

                                traceroute a-0003.a-msedge.net
                                traceroute to a-0003.a-msedge.net (204.79.197.203), 64 hops max, 52 byte packets
                                
                                traceroute www.msn.com.a-0003.a-msedge.net
                                traceroute to a-0003.a-msedge.net (204.79.197.203), 64 hops max, 52 byte packets
                                
                                

                                on your DNSBL category, where you have the list being added, goto the bottom DNSBL Custom_list and add the entry msn.com
                                no quotes, no other sub just msn.com
                                Screen Shot 2023-11-30 at 10.37.00 AM.png

                                then force reload the DNSBL on the update tab
                                Screen Shot 2023-11-30 at 10.38.06 AM.png

                                check the same 2 logs referenced above, for the processing of the list and the new custom entry

                                try the test again.

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jrey @johnpoz
                                  last edited by Nov 30, 2023, 4:05 PM

                                  @johnpoz

                                  yup, I really want to see the settings of the specific DNSBL category. being used,

                                  using the local-zone would also work, but in this case the OP already has a "list" in pfBocker, that blocks a bunch of other specific things, just not all the "specific things"

                                  msn.com on the DNSBL category, would keep it all together for the OP.

                                  certainly I don't use the list, and blocking the lookup by DNSBL works and does not return a CNAME.

                                  However there might be a problem with the TLD because from the list
                                  a-0003.a-msedge.net is listed.

                                  The setting, CNAME Validation set being enable MIGHT be the source of the "leak". Still trying to recreate the OP's various settings to see if I can recreate the issue.

                                  V 1 Reply Last reply Nov 30, 2023, 4:10 PM Reply Quote 0
                                  • V
                                    vjizzle
                                    last edited by Nov 30, 2023, 4:06 PM

                                    When I add msn.com to a custom DNSBL Group for blocking, pfBlockerNG works perfectly and keeps blocking msn.com and www.msn.com. That goes for every domain I add to my custom blocklist.

                                    The problems starts to occur when there is CNAME resolving involved. As you can see www.msn.com resolves to a CNAME a-0003.a-msedge.net. This hostname is in the blocklist I am using:
                                    screenshot01.png

                                    I have TLD blocking and CNAME blocking options enabled in pfBlockerNG:
                                    screenshot 02.png

                                    That is why I would expect pfBlockerNG to keep blocking www.msn.com because the CNAME it resolves to is in the blocklist.

                                    This is also the behaviour in pihole. When it resolves to a CNAME in a blocklist, the initial domain is blocked:
                                    screenshot03.png

                                    J 1 Reply Last reply Nov 30, 2023, 4:13 PM Reply Quote 0
                                    • V
                                      vjizzle @jrey
                                      last edited by Nov 30, 2023, 4:10 PM

                                      @jrey Please find the screenshots below on how I have setup the DNSBL group:

                                      screenshot 03.png screenshot 04.png

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jrey @vjizzle
                                        last edited by jrey Nov 30, 2023, 4:15 PM Nov 30, 2023, 4:13 PM

                                        @vjizzle

                                        That's why I want to see the log files ;-)
                                        Edit and the DNSBL Groups settings for the specific group/list you have setup containing the list you referenced. oops your second post appeared lated.

                                        You also have Regex Blocking enabled, do you have any entries in the list that appears below on the screen when that is enabled?

                                        V 1 Reply Last reply Nov 30, 2023, 4:15 PM Reply Quote 0
                                        • V
                                          vjizzle @jrey
                                          last edited by Nov 30, 2023, 4:15 PM

                                          @jrey Ah yes. Are the screenshots I just posted enough? What logfiles do you want to see?

                                          J 1 Reply Last reply Nov 30, 2023, 4:21 PM Reply Quote 0
                                          20 out of 34
                                          • First post
                                            20/34
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received