Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfblockerng dnsbl category blocking not working on Firefox and Safari. Works on Chrome

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 2 Posters 316 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      floppypen
      last edited by

      I have set up pfblockerng to block adult sites through the DNSBL categories. This works on Chrome and Arc (Chome-based) on my Mac and iPhone. However, when I use Firefox or Safari, nothing is blocked. What's weird is that I have set up forced safe search, and that does work on all browsers. I also have pfblockerng to block ads which works fine.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @floppypen
        last edited by

        @floppypen

        You want DNS requests emitted by Firefox to be handled by pfBlockerng (pfSense).
        Firefox, as an application, can use the device's "system DNS", the one obtained by the system's DHCP client, or ... use its own DNS settings.
        The question is : what are your Firefox DNS settings ?

        Menu => Tools => Settings, select "Privacy and Security", go to the bottom of the page :

        11fae5c9-9eb5-4578-b7ad-2ffaf1db44b9-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        F 1 Reply Last reply Reply Quote 0
        • F
          floppypen @Gertjan
          last edited by

          @Gertjan yes I’ve turned it off with no change.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @floppypen
            last edited by

            @floppypen

            Ok, nice, so it's more then probable that Firefox uses the resolver to resolves stuff.
            Did you test ?

            I'll give an example :

            My settings :

            ffb980da-263d-4148-926f-5d593404e7da-image.png

            This is dnsbl file :

            cf9a1ef2-64be-4163-8a94-aa8ae2f482d6-image.png

            Let's pick one :

            0f71f2fd-819c-44cc-a2b8-08a08cf9a599-image.png

            So, I set up a tailer : (SSH or console mode - No (never) GUI command line please):

            [24.03-RELEASE][root@pfSense.bhf.tld]/root: tail -f /var/unbound/var/log/pfblockerng/dns_reply.log | grep 'americanskinheads.com'

            This command 'tails' de main dns_reply.log log file : every DNS request thatw as parsed by pfBlockerng (the python (!) mode parser).
            Now I visit this site - and no surprise :

            67b0a7d9-ef70-4604-93ed-38b2be236c62-image.png

            and the logs showes me :

            DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk
DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk
DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk
DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk

            Btw : 192.168.1.6 and ,2a01:cb19:907:dead::c7 are the IPs my PC with the web browser is using.

            Recap :
            My wanted to visit a site using a host name.
            The local PC DNS cache didn't have that hostname / IP in it's cache, it was asking unbound (pfSense).
            Unbound filtres everything trough the pfBlockerng python loop, that uses a big DNSBL database : it found a match (no surprise) and unbound answered back to my PC : my browser : the the IP that stands for "don't know that IP so here you have 10.10.10.1" which points to the pfBklockerng web server that showed me in turn : that domain you wanted to visit is blocked.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.