DNS Resolver not fowarding + DNSBL



  • Hey everyone,

    I'm really hoping someone can assist me, I have recently set up PFBlockerNG and the blocklists are working no probs, I then enabled the DNSBL functionality during which I had to disabled the DNS forwarder, and enable DNS Resolver. The DNSBL functionality is working fine with the DNS Resolver, but now my ability to forward DNS requests is no longer working.

    Here's my set up (very simple)

    pfSense 2.2.6
    extra packages - only PFBlockerNG

    Hardware:
    pfSense box 4 NICs - Only 2 used - 1 for WAN, 1 for LAN
    Cable Modem
    Managed Switch
    Client machines/devices
    2 WAPs

    Layout:

    pfSense –> into WAN port on modem - WAN = igb0
    pfSense --> into LAN port on managed switch - LAN = igb1
    client devices and WAPs connect to managed switch
    I also have 3 chromecast devices connected to the WAPs

    Rules:

    I only have some port forwards for my plex publishing and my p2p ports
    I do also have a DNS redirects for my chromecast devices, each device has a DHCP reservation, and the rule uses that IP and redirects all DNS traffic back to pfSense to get around google hardcoded DNS servers.

    Issue:

    Before I enabled DNSBL in PFBlockerNG & DNS Resolver, the DNS forwarder was working perfectly, forwarding my DNS traffic for things like Netflix, Hulu, Pandora etc onto my SmartDNS service allowing me to bypass the Geo Blocking and access US content (I'm in Australia). Now with DNS resolver its no longer doing that, and sending me to the Australian version of Netflix, and I cant for the life of me work out why. The 2 smart DNS servers are the first two in my DNS server entries and my ISP are the next 2 in System->General and ' Allow DNS server list to be overridden by DHCP/PPP on WAN' is unticked.

    Troubleshooting:

    First I have changed my client side DNS settings to point to the SmartDNS servers - works fine .... when switched back to pfSense IP, fails
    In DNS Resolver:

    Unticked Enable DNSSEC Support - didnt fix
    Unticked Harden DNSSEC data - didnt fix
    Unticked  Enable Forwarding Mode - didnt fix
    Ticked Enable Forwarding Mode again - didnt fix
    Set up manual domain overrides for www.netflix.com, netflix.com, movies.netflix.com pointing to the smartDNS servers - didn't fix

    In pfSense:
    Removed my ISP DNS servers - didnt fix
    Set up DNS forwarder service to run on port 54 along side DNS Resolver on port 53 - didnt fix
    in DNS forwarder, Set up manual domain overrides for www.netflix.com, netflix.com, movies.netflix.com pointing to the smartDNS servers - didn't fix
    in DNS Resolver, Set up manual domain overrides for www.netflix.com, netflix.com, movies.netflix.com pointing to the smartDNS servers using @54 on the end to point to DNS forwarder service - didnt fix
    used DNS lookup in diagnostics and tested the netflix domains, all of them resolve to the smart DNS servers set in the general settings, along with my ISP DNS servers which respond faster (not sure if DNS Resolver goes on first server to respond? ..... as there is no 'Query servers sequentially' option in resolver like there is in forwarder)

    switching back to DNS Forwarder and everything works fine, except now I cant use DNSBL functions.....

    If anyone can give me some idea of where I should look next I would really appreciate it! :)


  • Moderator

    There are some inherent security issues with this approach.. See the "Dangers of use" section in the following link:

    https://en.wikipedia.org/wiki/Smart_DNS_proxy_server

    There are some other approaches that others are using:
    https://www.reddit.com/r/PFSENSE/comments/48prww/amazon_aws_whitelist_using_vpn_gateway_for/

    I don't think that SmartDNS is using DNSSEC either… If your using the Resolver in forwarder mode, you should only enter the SmartDNS DNS servers in pfSense.



  • Thanks for your reply BBcan!

    I will read up in he links that you have provided, and see if I can configure it better.

    Weirdly enough, I disabled both dns forwarder, resolver, and DNSBL, then reenabled DNSBL and DNS resolver, and viola it just starting working perfectly …. No idea what happened.


Log in to reply