PfBlockerNG v2.0 w/DNSBL



  • @BBcan177:

    @D0X:

    But now when browsing I continuously get Safari telling me the certificate is invalid (as shown in the attached picture, it is in Dutch but I think you'll get it).

    Safari seems to be the only browser that has this issue. Doesn't seem to occur with Chrome/FF/IE/Edge etc…

    Are these cert popups happening when you browse to that blocked Domain directly, or when its blocking that Domain as part of the webpage?  Two checks to ensure DNBSL is working as expected... Ping the DNSBL VIP and get a proper response ... Browse to the DNSBL VIP and get the 1x1 pix...

    If the popups are from a few common Domains, try to whitelist those and see if that improves it.

    Also, in the IPv4 tab, you cannot enter any EasyList Feeds... the IPv4 tab is for IP based listed only.

    DNSBL is designed to block the DNS resolution to Advert/Malicious Domains. As such only a portion of the EasyList/Privacy Feeds can be used (Where the feeds lists the actual ADvert Domain). Browser-Addons like ADBlock/UBlock manipulate the elements that are displayed on the page. So they can block certain elements from a particular Domain, while DNSBL can only block the entire Domain.

    Only two EasyList feeds can be used with DNSBL and they are hardcoded in the EasyList Tab. There are several other DNSBL Feeds listed at the start of this thread that can fill in the gap to block the balance of the Domains from serving any ADs.  Plus its achieved at Network level, without any add-ons manipulating or potentially opening security holes in the browser.

    It would really be nice if Safari fixed this issue with their software... Not much I can do to fix that without killing the package logging feature and just NXDOMAIN the DNS requests.

    I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net.  The latest events were from a banking site and when reading an article on macgroup.org.

    I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon.  I've white listed googleads.g.doubleclick.net.

    Is there anything else I can do in the pfBlockerNG settings to sort this out?

    I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.



  • @khorton:

    I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net.  The latest events were from a banking site and when reading an article on macgroup.org.

    I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon.  I've white listed googleads.g.doubleclick.net.

    Is there anything else I can do in the pfBlockerNG settings to sort this out?

    I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.

    When you whitelist using the Alerts Tab, pfBlockerNG will identify if there are CNAMEs for the domain name and whitelist the CNAME as well.

    However when you put a domainname in the Custom Domain Whitelist, you have to find the CNAMEs on your own:

    drill @8.8.8.8 googleads.g.doubleclick.net
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19703
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; googleads.g.doubleclick.net.	IN	A
    
    ;; ANSWER SECTION:
    googleads.g.doubleclick.net.	299	IN	CNAME	pagead46.l.doubleclick.net.
    pagead46.l.doubleclick.net.	299	IN	A	172.217.1.98
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 74 msec
    ;; SERVER: 8.8.8.8
    ;; WHEN: Wed Aug 31 15:25:50 2016
    ;; MSG SIZE  rcvd: 86
    
    

    Then you add pagead46.l.doubleclick.net to the Custom Domain Whitelist



  • @RonpfS:

    @khorton:

    I'm running the latest pfBlockerNG package on pfSense 2.3, and I have the same issue with Safari on OS X and iOS complaining about invalid certificates from googleads.g.doubleclick.net.  The latest events were from a banking site and when reading an article on macgroup.org.

    I've confirmed that I can ping to the VIP, and a browser sent to the VIP:8081 gets a 1x1 favicon.  I've white listed googleads.g.doubleclick.net.

    Is there anything else I can do in the pfBlockerNG settings to sort this out?

    I'd send a bug report to Apple on this, but I don't understand the problem nearly well enough to know how to properly describe the issue.

    When you whitelist using the Alerts Tab, pfBlockerNG will identify if there are CNAMEs for the domain name and whitelist the CNAME as well.

    However when you put a domainname in the Custom Domain Whitelist, you have to find the CNAMEs on your own:

    drill @8.8.8.8 googleads.g.doubleclick.net
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19703
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; googleads.g.doubleclick.net.	IN	A
    
    ;; ANSWER SECTION:
    googleads.g.doubleclick.net.	299	IN	CNAME	pagead46.l.doubleclick.net.
    pagead46.l.doubleclick.net.	299	IN	A	172.217.1.98
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 74 msec
    ;; SERVER: 8.8.8.8
    ;; WHEN: Wed Aug 31 15:25:50 2016
    ;; MSG SIZE  rcvd: 86
    
    

    Then you add pagead46.l.doubleclick.net to the Custom Domain Whitelist

    Thanks for the info.  I've added pagead46.l.doubleclick.net to the Custom Domain Whitelist.  We'll see if that helps.

    But, I already had .doubleclick.net in the Custom Domain Whitelist.  I thought the "." at the start was supposed to cover all the sub-domains.  Does that not work?  Or, is this a hint that we're chasing the wrong fix to the problem?


  • Moderator

    @khorton:

    But, I already had .doubleclick.net in the Custom Domain Whitelist.  I thought the "." at the start was supposed to cover all the sub-domains.  Does that not work?  Or, is this a hint that we're chasing the wrong fix to the problem?

    If you had the prefixed dot, then it should have cleared all of those Domains…

    You can check with the following cmd and see if there are any Domains ending with doubleclick.net in the DNSBL blocklist.

    grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf
    

    You can also go into Dev mode in the Browser (then goto console), then see if it could be a different Domain that is causing this issue…



  • @BBcan177:

    If you had the prefixed dot, then it should have cleared all of those Domains…

    You can check with the following cmd and see if there are any Domains ending with doubleclick.net in the DNSBL blocklist.

    grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf
    

    You can also go into Dev mode in the Browser (then goto console), then see if it could be a different Domain that is causing this issue…

    It looks like there was quite a long list of doubleclick.net domains already caught:

    grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf
    local-data: "ad-apac.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "ad-emea.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "ad.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "ad.mo.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "doubleclick.net 60 IN A 10.10.10.1"
    local-data: "gan.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "googleads.g.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "iv.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "n4403ad.doubleclick.net 60 IN A 10.10.10.1"
    local-data: "pubads.g.doubleclick.net 60 IN A 10.10.10.1"
    

    I am unable to trigger the SSL certificate error now, but next time it happens I'll check the Safari error console in Dev mode.


  • Moderator

    @khorton:

    It looks like there was quite a long list of doubleclick.net domains already caught:

    If you manually add any domains to the DNSBL Whitelist, you must execute a "Force Reload - DNSBL" for the whitelist to take effect.

    If you added    .doubleclick.net  to the DNSBL Whitelist, then the grep command above should have returned no results, since that Domain is in the DNSBL whitelist…



  • @BBcan177:

    @khorton:

    It looks like there was quite a long list of doubleclick.net domains already caught:

    If you manually add any domains to the DNSBL Whitelist, you must execute a "Force Reload - DNSBL" for the whitelist to take effect.

    Is this the "Reload" selection on the Update page?  I was running "Update" after making any changes.

    If you added    .doubleclick.net  to the DNSBL Whitelist, then the grep command above should have returned no results, since that Domain is in the DNSBL whitelist…

    By "DNSBL whitelist", do you mean the "Custom Domain Whitelist" on the DNSBL page? ".doubleclick.net" (without the quotes) is the first line on that list.  Or should I be looking a different whitelist?


  • Moderator

    @khorton:

    Is this the "Reload" selection on the Update page?  I was running "Update" after making any changes.

    Yes the Update tab has "Update|Cron|Reload" buttons… For Reload you can further select a reload of IP/DNSBL or All...

    Force Update will not "Reload" any changes that you made... Without running a "Force Reload", a previously downloaded Feed will not use the new settings, until Cron runs, and its re-downloaded... So thats the reason for the "Force Reload" button.

    Click on the blue "i" infoblock Icons on the pages… It will show additional help text...

    By "DNSBL whitelist", do you mean the "Custom Domain Whitelist" on the DNSBL page? ".doubleclick.net" (without the quotes) is the first line on that list.  Or should I be looking a different whitelist?

    Yes, DNSBL Custom Whitelist.



  • @BBcan177:

    @khorton:

    Is this the "Reload" selection on the Update page?  I was running "Update" after making any changes.

    Yes the Update tab has "Update|Cron|Reload" buttons… For Reload you can further select a reload of IP/DNSBL or All...

    Force Update will not "Reload" any changes that you made... Without running a "Force Reload", a previously downloaded Feed will not use the new settings, until Cron runs, and its re-downloaded... So thats the reason for the "Force Reload" button.

    Click on the blue "i" infoblock Icons on the pages… It will show additional help text...

    By "DNSBL whitelist", do you mean the "Custom Domain Whitelist" on the DNSBL page? ".doubleclick.net" (without the quotes) is the first line on that list.  Or should I be looking a different whitelist?

    Yes, DNSBL Custom Whitelist.

    Thanks for the clarification.  I had previously read the info triggered by the blue "i"s.  It makes perfect sense now that I know how the option works.  I had assumed, incorrectly, that the lists would be reloaded after an update.

    Now, when I run 'grep "doubleclick.net" /var/unbound/pfb_dnsbl.conf', I get a null result, apparently as expected.  And, happily, my wife hasn't complained about Safari barfing up SSL certificate errors for over 24 hours.



  • @reason:

    When running the force reload dnsbl, I noticed some of the TLD's, that I enter in the custom whitelist, were listed but not the exact subdomains that should have been whitelisted by using (for example) .facebook.com. I wanted mail.facebook.com to be whitelisted but it whitelisted ads.facebook.

    If you put .FQDN it will whitelist the whole .FQDN domain, If you put .facebook.com it will whitelist the whole .facebook.com domain, mail.facebook.com, ads.facebook.com, what.ever.they.use.facebook.com, etc.

    @reason:

    Newegg was not even listed.

    So it looks like it searching the other DNSBL lists for those hostnames but not finding them so it's not exclusively whitelisting them.

    Do I need to enter the fqdn as listed in the alerts?

    Look at the Alerts Tab DNSBL section and hover over the "+" icon, it will tell you why the blocks happens.
    You can also click on it to Whitelist it from the alerts tabs. When the whitelisting happens, it will comes back with what actions it tooks. Sometimes it will also whitelist CNAME of the FQDN. Then have a look at the Custom Domain Whitelist to see what was done.

    There is also a legend infoblock at the bottom of the page.



  • @BBcan177:

    Here are some basic instructions to get started with DNSBL.

    1. Open the pfBNG "DNSBL" Tab:

    (Use the defaults unless you have a need to use otherwise)
    Enter the DNSBL VIP as 10.10.10.1
    Enter the DNSBL Listening Port as 8081
    Enter the DNSBL SSL Listening port as 8443
    Select the DNSBL Listening Interface as Lan

    I have vlans configured on pfsense. Therefore there is no LAN option. The my only options are the different vlans, so what can I choose for the listening interface?


  • Moderator

    @maverik1:

    @BBcan177:

    Here are some basic instructions to get started with DNSBL.

    1. Open the pfBNG "DNSBL" Tab:

    (Use the defaults unless you have a need to use otherwise)
    Enter the DNSBL VIP as 10.10.10.1
    Enter the DNSBL Listening Port as 8081
    Enter the DNSBL SSL Listening port as 8443
    Select the DNSBL Listening Interface as Lan

    I have vlans configured on pfsense. Therefore there is no LAN option. The my only options are the different vlans, so what can I choose for the listening interface?

    Hi maverik1,

    I haven't tested that before, but I assume that it should be ok to choose any one of the VLANS…

    After enabling DNSBL, run this command from the shell to see if the DNSBL VIP is assigned to the VLAN:

    ifconfig
    

    You should see a line like this in the VLAN:

    inet 10.10.10.1 netmask 0xffffffff broadcast 10.10.10.1
    

    Then try to ping the DNSBL VIP address and see if it responds…

    Since you have multiple VLANs, its a good idea to enable the DNSBL Permit rule option....



  • I can confirm pfbNG works fine with VLANs.



  • OK here's a strange occurrence…
    pfSense just upgraded to 2.3.2 but this behaviour happened with 2.2.1 on a physically different router.

    pfb version 2.1.1_4.

    On our LAN when we use google chrome (latest) and go to google it can take several seconds for google to display. Doing a search can take 20 seconds to respond, but it does come back eventually.

    On firefox or any other browser, internet access is instant, including identical searches on the same PC simultaneously.

    pfb is working OK when enabled ie blocking incoming and outgoing ipv4 correctly.

    When pfBlockerNG is disabled, searches and access on chrome become instant too, so something in pfBlocker is slowing down just chrome.
    This behaviour is consistent across different PCs on different versions of windows.

    I don't really have much idea what this can be, and logs aren't telling me much.

    tl;dr - chrome+pfblockerng = very slow. Firefox = fast. Turn off pfblocker =all browsers incl chrome fast



  • @robatwork:

    OK here's a strange occurrence…
    pfSense just upgraded to 2.3.2 but this behaviour happened with 2.2.1 on a physically different router.

    pfb version 2.1.1_4.

    On our LAN when we use google chrome (latest) and go to google it can take several seconds for google to display. Doing a search can take 20 seconds to respond, but it does come back eventually.

    On firefox or any other browser, internet access is instant, including identical searches on the same PC simultaneously.

    pfb is working OK when enabled ie blocking incoming and outgoing ipv4 correctly.

    When pfBlockerNG is disabled, searches and access on chrome become instant too, so something in pfBlocker is slowing down just chrome.
    This behaviour is consistent across different PCs on different versions of windows.

    I don't really have much idea what this can be, and logs aren't telling me much.

    tl;dr - chrome+pfblockerng = very slow. Firefox = fast. Turn off pfblocker =all browsers incl chrome fast

    What block lists are you running?  Also, ctrl-shift-I to get into dev mode for both look at performance in FF and timeline in chrome, run them both and compare.



  • @tonymorella:

    What block lists are you running?  Also, ctrl-shift-I to get into dev mode for both look at performance in FF and timeline in chrome, run them both and compare.

    Currently running top_v4 and top_v6 by selecting various countries in the Top 20.
    Also 5 lists in IPv4 to block some social networking sites by AS number.
    And DNSBL is enabled although I was testing the speed prior to this and I don't think it made any difference. TLD isn't ticked. All other options are default.


  • Moderator

    @robatwork:

    On our LAN when we use google chrome (latest) and go to google it can take several seconds for google to display. Doing a search can take 20 seconds to respond, but it does come back eventually.

    You can open the Chrome cache viewer with this URL (Clear that and see if it helps):

    chrome://net-internals/#dns
    

    Also ensure that the LAN devices only have pfSense as its DNS server.



  • @BBcan177:

    @robatwork:

    On our LAN when we use google chrome (latest) and go to google it can take several seconds for google to display. Doing a search can take 20 seconds to respond, but it does come back eventually.

    You can open the Chrome cache viewer with this URL (Clear that and see if it helps):

    chrome://net-internals/#dns
    

    Also ensure that the LAN devices only have pfSense as its DNS server.

    Will try the cache clear, thanks.

    However the LAN devices are all set with our domain servers as DNS servers. The DNS on the AD servers are all set to just have the pfsense as the only forwarder. pfSense has DNS Resolver only. I did just watch the last hangout about DNS and believe that I am setup OK with just resolver even though we are multi-WAN.  If you think I'd be better off with DNS forwarder instead please let me know.

    Thanks for your help :)


  • Moderator

    @robatwork,

    So to be clear, ensure that the LAN devices have only your AD DNS servers defined. Then set the AD DNS server DNS Forwarder settings to pfSense only…  This way DNSBL will filter the traffic.

    The resolver can be in Resolver mode or in Forwarder mode....  I recommend Resolver mode....

    If you are referring to the DNS Forwarder (dnsmasq), then DNSBL will not function, as its not configured for that.



  • @BBcan177:

    @robatwork,

    So to be clear, ensure that the LAN devices have only your AD DNS servers defined. Then set the AD DNS server DNS Forwarder settings to pfSense only…  This way DNSBL will filter the traffic.

    The resolver can be in Resolver mode or in Forwarder mode....  I recommend Resolver mode....

    That is exactly how we are configured (in Resolver mode). Testing continues….



  • Hi all,

    Yesterday I added 4 new lists to DNSBL, see attachment 1.

    Right after I added these new lists, my DNSBL Alerts/Log stopped working, and all blocks are now shown in the "DENY" log section. See attachment 2.

    Can anyone shed light as to what I have done wrong?

    Thanks

    BR Jim





  • Moderator

    Hi jim82,

    In the DNSBL tab, only add DNSBL based feeds, the RW_IPBL is an IP based list that should be added to the IPv4 Tab.

    Goto the General Tab, and enable Suppression and follow that with a Force Reload - All… This will remove any RFC1918 or loopback addresses that might be in a list. I am going to make this standard in the next release to avoid this issue...  The Deny alerts that you see are from the DNSBL_IP firewall rule. In DNSBL, you enabled the "DNSBL_IP" option which will collect and block any IP addresses that are found in a Domain based feed.



  • Thanks a lot for your swift reply! Should I remove the RW_IPBL list from DNSBL?

    BR Jim
    EDIT: I've now removed the list from DNSBL and added it to IPv4, is this the correct way of doing it?

    @BBcan177:

    Hi jim82,

    In the DNSBL tab, only add DNSBL based feeds, the RW_IPBL is an IP based list that should be added to the IPv4 Tab.

    Goto the General Tab, and enable Suppression and follow that with a Force Reload - All… This will remove any RFC1918 or loopback addresses that might be in a list. I am going to make this standard in the next release to avoid this issue...  The Deny alerts that you see are from the DNSBL_IP firewall rule. In DNSBL, you enabled the "DNSBL_IP" option which will collect and block any IP addresses that are found in a Domain based feed.



  • @RonpfS:

    The tables are built from MaxMind GeoIPLite2 database, pfblockerNG just take the db and create the files for it's usage. MaxMind support has been contacted about the size being 3x larger than before.

    Just out of curiosity, is there any progress on this? I saw that MaxMind: Last-Modified: Tue, 02 Aug 2016 is still on August. Of course I could do a "php /usr/local/www/pfblockerng/pfblockerng.php dc", but everything is working fine (pfBlockerNG v2.1.1_4) so no need for it, as in ….if it ain't broke, than don't try to fix it ;)

    Cheers Qinn



  • Hello I keep getting this in the update log

    Could not open ISO

    UPDATE PROCESS START [ 10/09/16 10:30:37 ]
    
    ===[  DNSBL Process  ]================================================
    
    [ hphost_partial ]	 exists.
    [ mvps_hosts ]		 exists.
    [ SomeoneWhoCares ]	 exists.
    [ BBcan177 ]		 exists.
    [ DNSBL_IP ]		 Updating aliastable... 
      no changes.
      Total IP count = 1
    
    ===[  Continent Process  ]============================================
    
    Could not open ISO [ SH_v4 ]
    
    [ pfB_Africa_v4 ]	 exists.
    Could not open ISO [ AP_v4 ]
    
    Could not open ISO [ CX_v4 ]
    
    Could not open ISO [ CC_v4 ]
    
    [ pfB_Asia_v4 ]		 exists. [ 10/09/16 10:30:38 ]
    Could not open ISO [ PN_v4 ]
    
    [ pfB_Oceania_v4 ]	 exists.
    [ pfB_SAmerica_v4 ]	 exists.
    [ pfB_Top_v4 ]		 exists.
    [ pfB_Top_v6 ]		 exists. [ 10/09/16 10:30:42 ]
    [ pfB_PS_v4 ]		 exists.
    
    ===[  IPv4 Process  ]=================================================
    
    ===[  IPv6 Process  ]=================================================
    
    ===[  Aliastables / Rules  ]==========================================
    
    No changes to Firewall rules, skipping Filter Reload
    No Changes to Aliases, Skipping pfctl Update
    
     UPDATE PROCESS ENDED [ 10/09/16 10:30:43 ]
    

  • Moderator

    @varazir:

    Could not open ISO [ SH_v4 ]
    Could not open ISO [ AP_v4 ]
    Could not open ISO [ CX_v4 ]
    Could not open ISO [ CC_v4 ]
    Could not open ISO [ PN_v4 ]

    Yes this is an issue with the MaxMind monthly database changes not reporting on some GeoIPs… I have a fix for this which will be in the next release which will add a "placeholder" for all GeoIPs regardless if they are not defined by MaxMind...  Just ignore for the time being...


  • Moderator

    @jim82:

    Thanks a lot for your swift reply! Should I remove the RW_IPBL list from DNSBL?
    EDIT: I've now removed the list from DNSBL and added it to IPv4, is this the correct way of doing it?

    Yes… remove from DNSBL and Add the RW_IPBL to the IPv4 tab...


  • Moderator

    @Qinn:

    Just out of curiosity, is there any progress on this? I saw that MaxMind: Last-Modified: Tue, 02 Aug 2016 is still on August. Of course I could do a "php /usr/local/www/pfblockerng/pfblockerng.php dc", but everything is working fine (pfBlockerNG v2.1.1_4) so no need for it, as in ….if it ain't broke, than don't try to fix it ;)

    Do you have any MaxMind update errors in  /var/log/pfblockerng/geoip.log?

    I would manually run the update and see if it reports any errors…

    php /usr/local/www/pfblockerng/pfblockerng.php dc
    


  • Hi.

    I keep watching in the general system log entries like this:
    *nginx: 2016/10/10 19:04:39 [error] 23499#100098: 737 open() "/usr/local/www/utsync.ashx" failed (2: No such file or directory),client: 10.10.10.1, server: , request: "GET /utsync.ashx?eid=50052&et=0&fp=2X9bJ6tnRz5B2L0llgZVTWayaMg4TcNYwOj-CDyEPl1k&return=http%3A%2F%2Fps.eyeota.net%2Fmatch%3Fbid%3Dr8hrb20%26uid%3Dnil HTTP/1.1", host: "ml314.com", referrer: "http://viraliq.com/15-musicians-didnt-know-passed?utm_source=revcontent&utm_medium=referral&utm_campaign=desktop&utm_content_id=996712&utm_boost_id=116872&utm_targeting=editorial news&utm_widget_id=31653"

    I understand that DNSBL has successfully diverted the DNS petition to server 10.10.10.1 and the requested file is not there but is, logging these messages, the right behavior?

    Is there a way to disable them?. They are populating the system logs and hiding important stuff.



  • just wanted to give a personal thank you to bbcan for his committed FREE support on this amazing addon.

    you sir are a legend :)



  • @BBcan177:

    @Qinn:

    Just out of curiosity, is there any progress on this? I saw that MaxMind: Last-Modified: Tue, 02 Aug 2016 is still on August. Of course I could do a "php /usr/local/www/pfblockerng/pfblockerng.php dc", but everything is working fine (pfBlockerNG v2.1.1_4) so no need for it, as in ….if it ain't broke, than don't try to fix it ;)

    Do you have any MaxMind update errors in  /var/log/pfblockerng/geoip.log?

    I would manually run the update and see if it reports any errors…

    php /usr/local/www/pfblockerng/pfblockerng.php dc
    

    I encoutered no errors, so no log file. Btw I am on a APU2C4, 2.3.2-RELEASE-p1 (amd64) and pfBlockerNG 2.1.1_4



  • pfBlockerNG on Bridge

    Just wondering if anybody else has seen this.

    I run a Bridged Setup (WAN-LAN) and have setup the Management IP on the Bridge Interface (192.168.15.215). This Interface also listens on other ports (OpenVPN , NTP) including 53 for unbound.

    DNSBL listens on the default ports and the VIP is 192.168.15.216. I know that ideally this would be a different net, but DNSBL appears to work fine.

    I do get strange DNSBL Log entries which I do not understand:
    e.g.
    DNSBL Recject,Oct 22 16:09:42,192.168.15.216,192.168.15.1, | / |

    The pfBlcokerNG Alerts Tab shows the same entry with "No Match" . i.e. unable to determine which DNSBL Feed triggered the "Reject"

    Ip Address 192.168.15.1 is the gateway (an ISP Provided router I cannot replace). I don't know why 192.168.15.1 would want to contact the DNSBL VIP?



  • I was able to narrow down the issue through further testing.

    The log entry and its assorted Alert ("No Match") …

    DNSBL Recject,Oct 22 16:09:42,192.168.15.216,192.168.15.1, | / |

    ... can be reproduced by manually testing the DNSBL VIP Ports. e.g. http://vip-ip:80 (8081) . The error is generated for both https and https on ports (80, 8081, 443, 8433)

    As it turns out our ISP Provided router wants to connect to the DNSBL VIP IP via port 80 (Seen via packet capture)...
    Since WAN and LAN Interfaces are Bridged and filtering is done on the Bridge IF I have no way of blocking the Routers connection attempts...



  • Quick Q- in the sync section there is "Sync to configured backup server." Is this for CARP installs?
    I'd like to have my HQ box sync not only to the other carp member but also our regional offices. Wondering if/how this works.



  • sorry if this seems like a basic question as this thread is extremely long so just managed to read around 20% of it.

    im new to pfblockerng and what i was looking for is be able to block DNS on a per host basis which i dont seem to be able to make it work, as soon as i try to block youtube.com it aplies to unbound in general for every1.

    is it even possible to block dns on a per host basis as most other threads i read was using opendns but that too it applies in general for every1



  • @xbipin:

    sorry if this seems like a basic question as this thread is extremely long so just managed to read around 20% of it.

    im new to pfblockerng and what i was looking for is be able to block DNS on a per host basis which i dont seem to be able to make it work, as soon as i try to block youtube.com it aplies to unbound in general for every1.

    is it even possible to block dns on a per host basis as most other threads i read was using opendns but that too it applies in general for every1

    You could put those hosts on a separate interface. I would think that'd be easy enough.



  • @blueduckdock:

    @xbipin:

    sorry if this seems like a basic question as this thread is extremely long so just managed to read around 20% of it.

    im new to pfblockerng and what i was looking for is be able to block DNS on a per host basis which i dont seem to be able to make it work, as soon as i try to block youtube.com it aplies to unbound in general for every1.

    is it even possible to block dns on a per host basis as most other threads i read was using opendns but that too it applies in general for every1

    You could put those hosts on a separate interface. I would think that'd be easy enough.

    well we have a small LAN and creating separate interfaces using vlans would be some what of a overkill.
    if unbound could serve DNS queries per host that would solve this as i believe it would be a very useful feature and many would be interested in.



  • You could Configure your DHCP server  and specify the DNS option as external DNS server e.g. Google DNS.
    For the small number if hosts you need to filter create a static DHCP Mapping(Reservation) and specify the unbound DNS server on the LAN Address.
    Create an IP alias for these hosts and create a firewall rule to stop them acciessing any other DNS servers.

    Obviously this creates a problem when all hosts must use the unbound resolver.

    Other options would be - running a few virtual instances of pfSense -each with their own DnS resolver and DNSBLs. Then specify custom DNS servers via DHCP mappings.



  • we currently block external DNS access from LAN and force every1 to use unbound and i guess unbound config doesnt mention any option to filter dns per host or probably run multiple instances of it which would seem like a more easier option without the complexities do multiple other things for same effect.

    cyber roam i guess does this dns filtering per host so curious on how do they achieve it as many other ppl in my region use that just for the purpose of blocking certain domains per host


  • Moderator

    There is no option in The Unbound Resolver to "Filter by host"…. So if you want to bypass DNSBL for some hosts... You need to define a different DNS server for those LAN devices....


Log in to reply