PfBlockerNG v2.0 w/DNSBL
-
pfBlockerNG v2.0.15 - Pull Request #140 was merged:
See the following for details:
https://github.com/pfsense/FreeBSD-ports/pull/140UPDATE:
Please wait for pfBlockerNG v2.0.16 due to the following unescaped variable issue:
https://github.com/pfsense/FreeBSD-ports/pull/143/filesGreat job. Just resolved the issue with dnsbl service not starting.
-
Using pfBlockerNG v2.0.16 I have DNSBL EasyPrivacy turned on from before. It was working fine. After updating to v2.0.16 twitter.com is getting blocked. Was not getting blocked before. I tried to add twitter.com to DNSBL->Custom Domain Suppression (Whitelist) but that doesnt unblock it. If I set the EasyPrivacy feed to Off, twitter.com loads successfully.
-
Using pfBlockerNG v2.0.16 I have DNSBL EasyPrivacy turned on from before. It was working fine. After updating to v2.0.16 twitter.com is getting blocked. Was not getting blocked before. I tried to add twitter.com to DNSBL->Custom Domain Suppression (Whitelist) but that doesnt unblock it. If I set the EasyPrivacy feed to Off, twitter.com loads successfully.
You can suppress directly from the Alerts Tab, which will remove the Domain immediately… if you add the domain manually to the Whitelist, you need to select the "update custom list" checkbox, and run a "Force Reload - DNSBL" for it to take effect...
-
You can suppress directly from the Alerts Tab, which will remove the Domain immediately… if you add the domain manually to the Whitelist, you need to select the "update custom list" checkbox, and run a "Force Reload - DNSBL" for it to take effect...
Ahh thanks for clearing that up. All good now.
-
You can suppress directly from the Alerts Tab, which will remove the Domain immediately… if you add the domain manually to the Whitelist, you need to select the "update custom list" checkbox, and run a "Force Reload - DNSBL" for it to take effect...
Ahh thanks for clearing that up. All good now.
Ahh crap… I have to make another change to the code as it shouldn't have picked up that Domain name :) Sorry guys... I will post a PR to get this fixed ASAP...
-
pfBlockerNG v2.0.17 :
https://github.com/pfsense/FreeBSD-ports/pull/144This will fix the issue with the EasyPrivacy Feed (As noted above)
I suspect that EasyList will also change file formats at some point, but I will make those changes at that time.
Until the PR is merged, either disable EasyPrivacy, or fetch the file from my Github repo:
–> File below is only for pfSense v2.3.x <–
fetch -o /usr/local/pkg/pfblockerng/pfblockerng.inc "https://raw.githubusercontent.com/BBcan177/FreeBSD- ports/88fc815594c48f9d99c2f7feb9649a3586a3ca27/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc"
and run a "Force Reload - DNSBL"
-
pfBlockerNG v2.0.17 :
https://github.com/pfsense/FreeBSD-ports/pull/144This will fix the issue with the EasyPrivacy Feed (As noted above)
I suspect that EasyList will also change file formats at some point, but I will make those changes at that time.
Until the PR is merged, either disable EasyPrivacy, or fetch the file from my Github repo:
–> File below is only for pfSense v2.3.x <–
fetch -o /usr/local/pkg/pfblockerng/pfblockerng.inc "https://raw.githubusercontent.com/BBcan177/FreeBSD- ports/88fc815594c48f9d99c2f7feb9649a3586a3ca27/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc"
and run a "Force Reload - DNSBL"
Manually pulled the update and reverted my twitter.com whitelist. Did a force reload and can verify that the fix does work. Thanks.
-
Hi–
Firstly, thanks again for an awesome package!
I'd like to revisit an issue brought up numerous pages ago, that issue being that with pfBlockerNG and DNSBL enabled, along with the DNSBL Easy List to block ads, some web clients will throw an error like so:
Is this a Safari/Mobile Safari issue only? How are people working around this with pfBlockerNG? This issue is causing Wife Approval Factor to drop precipitously.
Thanks again,
Paul -
Is this a Safari/Mobile Safari issue only? How are people working around this with pfBlockerNG? This issue is causing Wife Approval Factor to drop precipitously.
Hi Paul,
Is this device on the latest Apple Software build? Is Safari updated?
Two other options.. 1) Install Chrome 2) Set the DNS setttings for this device to a different DNS server, so that it bypasses DNSBL.
-
Hello BBcan177–
Thanks for your reply--much appreciated.
All our desktops/laptops/devices are up to date running the latest: Safari 9.1.1 and OS X 10.11.5 on the desktop. All iPhones and iPads are running the latest as well.
Getting folks in the family to use another browser won't go very far :( Such is the life of the family sys admin.
Regarding:
- Set the DNS settings for this device to a different DNS server, so that it bypasses DNSBL.
All devices are using pfSense for DNS (forwarder is enabled).
If I'm understanding this issue correctly, these certs are all delivered via https. Since these connections are blocked by the EasyList, Safari throws these alerts?
Is this a known issue with Safari, or is there some configuration available that I'm not aware of?
thx
PP -
Hello,
I had pfblocker working fine on my other setup, but now since i upgraded to pfsense 2.3 my config was currupted and i had to do a clean install.
my problem with pfblocker is that i cant get the dnsbl to block ads. i configured the standard list(cameleon, yoyo, adaway enz.) and i also see a lot of ads listed in the alerts tab, but the ads still show up. i'm guessing the problem is with unbound. also when i do al update/reload, it says "Reloading Unbound … Not completed." see below.
Adding Unbound Server:Include line... completed Validating database... completed Reloading Unbound ... Not completed. DNSBL update [ 0 ]... completed ------------------------------------------ DNSBL - Adding Unbound custom 'include' option Saving new DNSBL web server configuration to port [ 8081 & 8443 ] Saving pfSense config... VIP address configured. Widget Packet statistics reset. New DNSBL Cert Created. Restarting Service DNSBL...
second thing is it says ipcount 37?
70107 total 46572 /var/db/pfblockerng/dnsbl/ADs_hostfile.txt 15239 /var/db/pfblockerng/dnsbl/ADs_Cameleon.txt 3659 /var/db/pfblockerng/dnsbl/EasyListElements.txt 2395 /var/db/pfblockerng/dnsbl/ADs_yoyo.txt 2080 /var/db/pfblockerng/dnsbl/EasyListPrivacy.txt 125 /var/db/pfblockerng/dnsbl/ADs_adaway.txt 23 /var/db/pfblockerng/dnsbl/EasyListElements.ip 14 /var/db/pfblockerng/dnsbl/EasyListPrivacy.ip IPv4 alias tables IP count ----------------------------- 37 IPv6 alias tables IP count ----------------------------- 0 Alias table IP Counts ----------------------------- 37 /var/db/aliastables/pfB_DNSBLIP.txt pfSense Table Stats ------------------- table-entries hard limit 2000000 Table Usage Count 73126
-
It looks like there are no domains in DNSBL?
DNSBL update [ 0 ]... completed
Post the whole DNSBL section of the log.
-
Sorry if this is stupid question. I am using OpenDNS and wondered if I can use DNSBL along with it? The only way I was able to get alert data was by changing the DNS settings on my PC.
Not in this way. If you point your clients to pfSense as DNS server and use OpenDNS as forwarders for Unbound, then yes it should work.
I recently installed pfblockerng v2.0.17 with the help of https://m.youtube.com/watch?v=YLhDOaH0q5U and until then I used opendns. Is it possible to combine these two and if so how can I accomplish this and what could/would it bring.
-
Sorry if this is stupid question. I am using OpenDNS and wondered if I can use DNSBL along with it? The only way I was able to get alert data was by changing the DNS settings on my PC.
Not in this way. If you point your clients to pfSense as DNS server and use OpenDNS as forwarders for Unbound, then yes it should work.
I recently installed pfblockerng v2.0.17 with the help of https://m.youtube.com/watch?v=YLhDOaH0q5U and until then I used opendns. Is it possible to combine these two and if so how can I accomplish this and what could/would it bring.
It can be done just as Dok said above:
Point your LAN devices to pfSense Resolver/DNSBL, and then set the Resolver into "Forwarding mode" to the opendns servers… But keep in mind that opendns doesn't support DNSSEC, so disable those options...
-
Thanks for bringing us pfBlockerNG! As I am fairly new to the use of an ad blocker in combination what a firewall, can you be a bit more explicit say idiot proof ;) on the how to using pfBlockerNG and opendns?
-
It can be done just as Dok said above:
Point your LAN devices to pfSense Resolver/DNSBL, and then set the Resolver into "Forwarding mode" to the opendns servers… But keep in mind that opendns doesn't support DNSSEC, so disable those options...
Stupid me, that was easy (one check mark and one off). But when using the "Forwarding mode" am I not losing DNSBL and so a lot off "power" of your adblocker? In your professional opinion am I now penny wise and pond foolish?
-
It looks like there are no domains in DNSBL?
DNSBL update [ 0 ]... completed
Post the whole DNSBL section of the log.
Dont know if this is what you meant, but this is the reload log of the dnsbl section
UPDATE PROCESS START [ 06/06/16 16:58:27 ] ===[ DNSBL Process ]================================================ [ ADs_yoyo ] Reload . completed .. ------------------------------------------------ Original Unique # Dups Alexa Final ------------------------------------------------ 2395 2395 0 - 2395 ------------------------------------------------ [ ADs_hostfile ] Reload . completed .. ------------------------------------------------ Original Unique # Dups Alexa Final ------------------------------------------------ 47769 47766 1194 - 46572 ------------------------------------------------ [ ADs_adaway ] Reload [ 06/06/16 16:58:30 ] . completed .. ------------------------------------------------ Original Unique # Dups Alexa Final ------------------------------------------------ 410 408 283 - 125 ------------------------------------------------ [ ADs_Cameleon ] Reload . completed .. ------------------------------------------------ Original Unique # Dups Alexa Final ------------------------------------------------ 21195 21195 5956 - 15239 ------------------------------------------------ [ EasyListElements ] Reload [ 06/06/16 16:58:32 ] . completed .. ------------------------------------------------ Original Unique # Dups Alexa Final ------------------------------------------------ 5133 4925 1255 - 3670 ------------------------------------------------ IP count=23 [ EasyListPrivacy ] Reload . completed .. ------------------------------------------------ Original Unique # Dups Alexa Final ------------------------------------------------ 2571 2567 487 - 2080 ------------------------------------------------ IP count=14 [ DNSBL_IP ] Updating aliastable [ 06/06/16 16:58:33 ] ------------------------------------------ no changes. Total IP count = 37 ------------------------------------------ ------------------------------------------ Assembling database... completed Validating database... completed [ 06/06/16 16:58:35 ] Reloading Unbound ... Not completed. DNSBL update [ 70081 ]... completed ------------------------------------------ ===[ Continent Process ]============================================ [ pfB_Africa_v4 ] exists. [ pfB_Africa_v6 ] exists. [ pfB_Top_v4 ] exists. [ pfB_Top_v6 ] exists. ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update ===[ FINAL Processing ]===================================== [ Original IP count ] [ 51324 ] ===[ Deny List IP Counts ]=========================== 51323 total 37758 /var/db/pfblockerng/deny/pfB_Top_v4.txt 8519 /var/db/pfblockerng/deny/pfB_Top_v6.txt 4516 /var/db/pfblockerng/deny/pfB_Africa_v4.txt 530 /var/db/pfblockerng/deny/pfB_Africa_v6.txt ===[ DNSBL Domain/IP Counts ] =================================== 70118 total 46572 /var/db/pfblockerng/dnsbl/ADs_hostfile.txt 15239 /var/db/pfblockerng/dnsbl/ADs_Cameleon.txt 3670 /var/db/pfblockerng/dnsbl/EasyListElements.txt 2395 /var/db/pfblockerng/dnsbl/ADs_yoyo.txt 2080 /var/db/pfblockerng/dnsbl/EasyListPrivacy.txt 125 /var/db/pfblockerng/dnsbl/ADs_adaway.txt 23 /var/db/pfblockerng/dnsbl/EasyListElements.ip 14 /var/db/pfblockerng/dnsbl/EasyListPrivacy.ip ====================[ Last Updated List Summary ]============== Jun 5 03:00 pfB_Africa_v4 Jun 5 03:00 pfB_Africa_v6 Jun 5 03:00 pfB_Top_v4 Jun 5 03:00 pfB_Top_v6 IPv4 alias tables IP count ----------------------------- 42312 IPv6 alias tables IP count ----------------------------- 9050 Alias table IP Counts ----------------------------- 51360 total 37758 /var/db/aliastables/pfB_Top_v4.txt 8519 /var/db/aliastables/pfB_Top_v6.txt 4516 /var/db/aliastables/pfB_Africa_v4.txt 530 /var/db/aliastables/pfB_Africa_v6.txt 37 /var/db/aliastables/pfB_DNSBLIP.txt pfSense Table Stats ------------------- table-entries hard limit 2000000 Table Usage Count 124453 UPDATE PROCESS ENDED
-
i also found this in the pfblockerng.log
... ... [ DNSBL_IP ] Updating aliastable ------------------------------------------ no changes. Total IP count = 37 ------------------------------------------ ------------------------------------------ Assembling database... completed Validating database... completed [ 06/06/16 17:00:03 ] Reloading Unbound ...error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: Not completed. DNSBL update [ 70081 ]... completed ------------------------------------------ ... ...
the weird thing to me is that i see the alerts in the alerts tab, but the ads still show up on my screen.
if i need to post more info, let me know.
-
i also found this in the pfblockerng.log
... ... [ DNSBL_IP ] Updating aliastable ------------------------------------------ no changes. Total IP count = 37 ------------------------------------------ ------------------------------------------ Assembling database... completed Validating database... completed [ 06/06/16 17:00:03 ] Reloading Unbound ...error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: Not completed. DNSBL update [ 70081 ]... completed ------------------------------------------ ... ...
the weird thing to me is that i see the alerts in the alerts tab, but the ads still show up on my screen.
if i need to post more info, let me know.
Hi XmickS,
If you are using the Resolver in "Forwarder" mode, make sure that the DNS servers you are using support DNSSEC… This looks like a Resolver settings issue to me...
-
It can be done just as Dok said above:
Point your LAN devices to pfSense Resolver/DNSBL, and then set the Resolver into "Forwarding mode" to the opendns servers… But keep in mind that opendns doesn't support DNSSEC, so disable those options...
Stupid me, that was easy (one check mark and one off). But when using the "Forwarding mode" am I not losing DNSBL and so a lot off "power" of your adblocker? In your professional opinion am I now penny wise and pond foolish?
DNSBL has nothing to do with either "Forwarder" or "Resolver" mode in Unbound… Its a preference... But best to use "Resolver" mode as you are using the Root DNS Servers for the DNS requests...
Here is a good primer about the DNS Resolver (Unbound) https://calomel.org/unbound_dns.html