DNS Issue PF Sense

[elliott35]

Maybe someone can tell me what I'm doing wrong. I want to change DNS provider from my ISP to Cloudflair & Google (as secondary). Also, I want to enable TLS encryption on DNS. Each time I enter the settings as I understand them I cant access the internet. Any Ideas? I have Squid proxy server running as well as PFblockerNG.

 

I have isolated the issue to this code in the DNS Resolver>Custom Settings: 

 

server:
include: /var/unbound/pfb_dnsbl.*conf

forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 8.8.8.8@853

 

 

It all goes to shit when i save that code... Any Ideas?

[Falconevo]

PfBlockers DNSBL uses 10.10.10.1 and has a NAT rule for 80/443 to 8081/8443.

 

What is it you are attempting to acomplish?  The forwarders are specified in System > General you don't need to specify forwarder addressing in the DNS resolver config unless you are using different resolvers to the standard System > General config.

[Alex Atkin UK]

2 hours ago, Falconevo said:

PfBlockers DNSBL uses 10.10.10.1 and has a NAT rule for 80/443 to 8081/8443.

 

What is it you are attempting to acomplish?  The forwarders are specified in System > General you don't need to specify forwarder addressing in the DNS resolver config unless you are using different resolvers to the standard System > General config.

How they did it IS the correct way to do it for the Cloudflare TLS service.

 

However 8.8.8.8 is a Google server, it should be 1.0.0.1 for Cloudflares secondary DNS server.

[Falconevo]

1 hour ago, Alex Atkin UK said:

How they did it IS the correct way to do it for the Cloudflare TLS service.

 

However 8.8.8.8 is a Google server, it should be 1.0.0.1 for Cloudflares secondary DNS server.

No you are missing the point, this has nothing to do with cloudflare,cloudflare is 1.1.1.1 which is an external address.  It also has nothing to do with Google, pfBlocker DNSBL has a function to intercept and deny DNS requests based on black listed DNS values or input from custom listing.

 

10.10.10.1 is an virtual address which pfSense and pfBlocker use for DNSBL (DNS BlackList) which routes all requests for DNS made by the internal network straight in to the DNS Blacklist listener (10.10.10.1)

DNSBL default config which uses the virtual address of 10.10.10.1

 

DNSBL default NAT rule to forward all 10.10.10.1 requests to localhost for processing via pfBlocker.

 

[Alex Atkin UK]

Those forwards AFAIK are just so that it can feed a blank image/page as a replacement for the content you are blocking.

 

I admit I haven't used DNSBL but logically it should be using Unbound to resolve all DNS and just feeding a list of IP addresses to bypass, the same way you can do manually for overrides.

[Falconevo]

5 minutes ago, Alex Atkin UK said:

Those forwards AFAIK are just so that it can feed a blank image/page as a replacement for the content you are blocking.

 

I admit I haven't used DNSBL but logically it should be using Unbound to resolve all DNS and just feeding a list of IP addresses to bypass, the same way you can do manually for overrides.

It is using an unbound resolver, but the request is run via a 'local loop' before being returned back to the requestor

 

DNS request from client device for derp.com

DNS request sent to pfSense transparent DNS resolver

DNS query uses custom DNS resolver config via /var/unbound/pfb_dnsbl.*conf

DNS request forwarded to pfBlocker via 10.10.10.1

DNS request is filtered or forwarded depending on block list via unbound resolver

DNS request is returned to client under 2 conditions

1. If the DNS result exists in part of the block list(s), the IP of 10.10.10.1 is returned to the DNS query and a blank result is returned
2. If the DNS result does not exist in any block lists, the valid IP of the request is returned to the client

The DNS request will return a HTTP or HTTPS page with the DNSBL black page, HTTPS will show the DNSBL invalid cert hence the NAT for 8081 (HTTP) and 8443 (HTTPS).

 

If you are using pfBlockerNG-devel you can also add a redirected page return, so you can return to the end user a value to show a block rather than just a blank page.

[Alex Atkin UK]

The only thing DNSBL does to Unbound is adds its own host overrides, that's it.

 

I actually already had a manual implementation of what DNSBL is doing that I implemented back when I was using OpenWRT and had carried over to pfSense, as my server has more specific rules that parse the URI to detect redirects that go via certain advertisers (an attempt to prevent the site being used with adblocking).

Actual DNS resolution is done by Unbound as normal and this works absolutely fine with Cloudflare DNS over TLS.

[elliott35]

So as i understand it, this code: 

server:
include: /var/unbound/pfb_dnsbl.*conf

 

Entered into the DNS resolver custom settings, should incorporate DNSBL into the outside dns resolver I am trying to use. I believe I already have Cloudflare and Google setup as Primary/Backup DNS in the general setup. From the Dashboard (it appears to work normally):

 

 

What I am trying to do is enable DNS over TLS. As per this video:

 

 

 

The issue is, when I plug in the rest of that code into the DNS resolver custom settings: 

forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 8.8.8.8@853

 

My internet dies.... 

[Falconevo]

12 hours ago, elliott35 said:

So as i understand it, this code: 

server:
include: /var/unbound/pfb_dnsbl.*conf

 

Entered into the DNS resolver custom settings, should incorporate DNSBL into the outside dns resolver I am trying to use. I believe I already have Cloudflare and Google setup as Primary/Backup DNS in the general setup. From the Dashboard (it appears to work normally):

 

 

What I am trying to do is enable DNS over TLS. As per this video:

 

 

 

The issue is, when I plug in the rest of that code into the DNS resolver custom settings: 

forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 8.8.8.8@853

 

My internet dies.... 

I'm assuming you have rules on the LAN interface to allow TCP access on 853? I would start with making sure you can telnet 1.1.1.1 853 from inside your LAN subnet.  You can also test via pfSense GUI or SSH on the external interface.

[Alex Atkin UK]

Telnet won't tell you anything as its not talking TLS.  If I run "telnet 1.1.1.1 853" I just get permission denied, but its working perfectly in Unbound.

 

Like I said earlier, try with ONLY Cloudflare servers by replacing 8.8.8.8 with 1.0.0.1.
You are trying to use DNS over TLS for a Google server (8.8.8.8) and I can find nothing mentioned online that they support this so its probably failing.

If you are wanting DNS over TLS for security then you would need to remove Google and Cloudflare from the main DNS Server settings too so that pfSense will only ever use Unbound.  Otherwise it will randomly use standard DNS for pfSense services themselves.

 

I also have a port forwarding rule to force ALL DNS via pfSense, as Google have a tendency to hard-code their DNS server addresses into their Android services.

[elliott35]

It was google. Changing to both cloudflair servers and a quad nine backup worked.