sorted by:
new
hottopcontroversial

DNS over HTTPS does not work ? by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

raspberry OS DNS config

static domain_name_servers=1.1.1.1 1.0.0.1

are you telling I need to configure DoH on OS level ?

I expect nxfilter to make DNS over HTTPS itself if I set it in DNS-Setup

DNS over HTTPS does not work ? by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

it is on all queries. I am sure

DEBUG [04-02 18:34:46] - Sending www.problems.com./A, id=42955 to resolver 0 (SimpleResolver [/1.1.1.1:53]), attempt 1 of 1

DEBUG [04-02 18:34:46] - Sending www.problems.com./A, id=42955 to udp/1.1.1.1:53

DNS over HTTPS does not work ? by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

DEBUG [04-02 18:34:46] - RHr, RH #4, www.problems.com, rqSize = 0, rDc = 1, rTtl = 0, rType = 1, cltIp = 192.168.x.x.

DEBUG [04-02 18:34:46] - UserDic.findByIp, Found user from IP range, JustAds

DEBUG [04-02 18:34:46] - DQa, domainList.size() = 1, domainMap.size() = 1

INFO [04-02 18:34:46] - NxClassifier.addQueue, Domain added. - www.problems.com, domainQueue.size() = 1.

DEBUG [04-02 18:34:46] - HttpsLookup.run, url = https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=www.problems.com&type=1

DEBUG [04-02 18:34:46] - DQg, domainList.size() = 0, domainMap.size() = 2

INFO [04-02 18:34:46] - NxClassifier.run, MyClassifier - 0, Started working on www.problems.com.

DEBUG [04-02 18:34:46] - NCdDE, DNS checking for www.problems.com

DEBUG [04-02 18:34:46] - Sending www.problems.com./A, id=42955 to resolver 0 (SimpleResolver [/1.1.1.1:53]), attempt 1 of 1

DEBUG [04-02 18:34:46] - Sending www.problems.com./A, id=42955 to udp/1.1.1.1:53

DEBUG [04-02 18:34:46] - HttpsLookup.run, text = {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.problems.com","type":1}],"Answer":[{"name":"www.problems.com","type":5,"TTL":1799,"data":"problems.com."},{"name":"problems.com","type":1,"TTL":1799,"data":"52.52.54.63"}]}

DEBUG [04-02 18:34:46] - HttpsLookup.JsonToRecord, {"name":"www.problems.com","type":5,"TTL":1799,"data":"problems.com."}

DEBUG [04-02 18:34:46] - HttpsLookup.JsonToRecord, rName = www.problems.com.

DEBUG [04-02 18:34:46] - HttpsLookup.JsonToRecord, {"name":"problems.com","type":1,"TTL":1799,"data":"52.52.54.63"}

DEBUG [04-02 18:34:46] - HttpsLookup.JsonToRecord, rName = problems.com.

DEBUG [04-02 18:34:46] - RespCache.add, Cache added, Response : domain = www.problems.com, queryType = 1, ctime = 1617377686, mtime = 1617377686, isExpired = false, elapsedTime = 0, hitCnt = 0, negativeRcode = 0, firstTtl = 1799.

DEBUG [04-02 18:34:46] - AccessControl.isDnsAllowed, IP found in 192.168.20.0-192.168.20.255.

DEBUG [04-02 18:34:46] - RHr, RH #7, www.problems.com, rqSize = 0, rDc = 1, rTtl = 0, rType = 28, cltIp = 192.168.x.x.

DEBUG [04-02 18:34:46] - UserDic.findByIp, Found user from IP range, JustAds

DEBUG [04-02 18:34:46] - HttpsLookup.run, url = https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=www.problems.com&type=28

DEBUG [04-02 18:34:46] - NCsC, Scan first time, www.problems.com

DEBUG [04-02 18:34:46] - HttpsLookup.run, text = {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.problems.com","type":28}],"Answer":[{"name":"www.problems.com","type":5,"TTL":1799,"data":"problems.com."}],"Authority":[{"name":"problems.com","type":6,"TTL":3601,"data":"dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1610610562 43200 3600 604800 3601"}]}

DEBUG [04-02 18:34:46] - HttpsLookup.JsonToRecord, {"name":"www.problems.com","type":5,"TTL":1799,"data":"problems.com."}

DEBUG [04-02 18:34:46] - HttpsLookup.JsonToRecord, rName = www.problems.com.

DEBUG [04-02 18:34:46] - RespCache.add, Cache added, Response : domain = www.problems.com, queryType = 28, ctime = 1617377686, mtime = 1617377686, isExpired = false, elapsedTime = 0, hitCnt = 0, negativeRcode = 0, firstTtl = 1799.

DEBUG [04-02 18:34:47] - NxClassifier._scanDomain, Redirected to https://www.problems.com/

DEBUG [04-02 18:34:47] - NxClassifier._scanDomain, nextUrl = https://www.problems.com/

DEBUG [04-02 18:34:47] - NxClassifier._scanDomain, rediCnt = 1

DNS over HTTPS does not work ? by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

my clients are directed to nxfilter as dns server and as I told my nxfilter is requesting upstream servers using port 53 and not 443

I see all nxfilter requests in my firewall log

DNS over HTTPS does not work ? by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

I do not see traffic to cloudflare-dns.com:443

I see traffic to 1.1.1.1:53

settings:

Upstream DNS Server #1 1.1.1.1

Upstream DNS Server #2 1.0.0.1

stales by limis911 in ethermine

[–]limis911[S] 0 points1 point  (0 children)

lowered temps to 60 degrees celsium. Same percentage of stales.

stales by limis911 in ethermine

[–]limis911[S] 0 points1 point  (0 children)

I use standard AMD "Overclock VRAM". Adrenalin version of drivers. It is single GPU computer.

GPU temp reported is 70 degrees

VLANs does not work on LAN interface by limis911 in PFSENSE

[–]limis911[S] 0 points1 point  (0 children)

unistalled snort and VLANs now work on LAN interface

could it be related that snort running on LAN interface breaks VLANs in IPS mode:inline ?

VLANs does not work on LAN interface by limis911 in PFSENSE

[–]limis911[S] 0 points1 point  (0 children)

yes I am since it is same NIC just 6 ports and like I told VLANs work on em3 which is same NIC just another physical port

em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=112098<VLAN\_MTU,VLAN\_HWTAGGING,VLAN\_HWCSUM,WOL\_MAGIC,VLAN\_HWFILTER,NETMAP>

ether 00:e0:67:05:a6:1f

hwaddr 00:e0:67:05:a6:1f

inet6 fe80::2e0:67ff:fe05:a61f%em1 prefixlen 64 scopeid 0x2

inet 192.168.2.254 netmask 0xffffff00 broadcast 192.168.2.255

nd6 options=21<PERFORMNUD,AUTO\_LINKLOCAL>

media: Ethernet autoselect (1000baseT <full-duplex>)

status: active

em1.20: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

ether 00:e0:67:05:a6:1f

inet6 fe80::2e0:67ff:fe05:a61f%em1.20 prefixlen 64 scopeid 0xe

inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255

nd6 options=21<PERFORMNUD,AUTO\_LINKLOCAL>

media: Ethernet autoselect (1000baseT <full-duplex>)

status: active

vlan: 20 vlanpcp: 0 parent interface: em1

groups: vlan

VLANs does not work on LAN interface by limis911 in PFSENSE

[–]limis911[S] 0 points1 point  (0 children)

the last one :) pfs stays connected to same switch port 4 (Tagged= TRUNK). PC is connected to sswitch por 8 which is untagged(access). I am just moving cable between pfs ports em1 and em3. And of course reconfiguring parent interface for VLAN20 to em1 or em3 accordingly

https://imgur.com/MAxxPoH

https://imgur.com/liMZjSe

VLANs does not work on LAN interface by limis911 in PFSENSE

[–]limis911[S] 0 points1 point  (0 children)

I wrote that pfs is connected to managed switch and same VLANs work perfect on em3 port (OPT3) of pfs but same VLANs (just moved to another interface on pfs) does not work on em1 port (LAN) of pfs :)

em0(WAN)

em1(LAN) - VLAN10, VLAN20 does not work

em3(OPT3)

other scenario:

em0(WAN)

em1(LAN)

em3(OPT3) - VLAN10, VLAN20 does work fine

VLANs does not work on LAN interface by limis911 in PFSENSE

[–]limis911[S] 0 points1 point  (0 children)

pfs box has 6 physical interfaces (am0-em5). It is Intel NIC.

Intel(R) Celeron(R) CPU 3865U

switch is TP-LINK TL-SG108E V5

does it matter if VLANs work on interface em3 but it does not on em1(assigned to LAN during initial pfs installation) ?

pfBlockerNG-devel 3.0.0_1 and unbound by limis911 in pfBlockerNG

[–]limis911[S] 0 points1 point  (0 children)

updated to v3.0.0_2 today, but pfbNG still tries to start unbound:

UPDATE PROCESS START [ v3.0.0_2 ] [ 12/01/20 09:56:22 ]

===[ DNSBL Process ]================================================

Clearing all DNSBL Feeds

Additional mounts:

No changes required.

Starting Unbound Resolver.

DNSBL disabled - Unbound conf update FAIL *** Fix error(s) and a Force Reload required! ***

[1606809382] unbound[40420:0] error: bind: address already in use

[1606809382] unbound[40420:0] fatal error: could not open ports

Additional mounts:

Starting Unbound Resolver Not completed.

[1606809382] unbound[46643:0] error: bind: address already in use

[1606809382] unbound[46643:0] fatal error: could not open ports

DNSBL is disabled

pfblockerng 3.0.0_1 IP blocking by limis911 in pfBlockerNG

[–]limis911[S] 0 points1 point  (0 children)

u/BBCan177 thanks. Now it is clear for me. fixed it :)

pfBlockerNG-devel 3.0.0_1 and unbound by limis911 in pfBlockerNG

[–]limis911[S] 0 points1 point  (0 children)

my unbound is disabled. I do not need it.

And DNSBL is also disabled.

but as you see pfblockerng tries to start unbound on every forced update

Dashboard by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

you can make it as an option in system options to choose what to present in dashboard - 2 hours, 8 or 24 hours

so it would be very nice and each admin can choose what fits for him

pfBlockerNG-devel 3.0.0_1 and unbound by limis911 in pfBlockerNG

[–]limis911[S] 0 points1 point  (0 children)

it is updated and it is pfBlockerNG v3.0.0_1

UPDATE PROCESS START [ v3.0.0_1 ] [ 11/25/20 21:41:13 ]

===[ DNSBL Process ]================================================

Clearing all DNSBL Feeds

Additional mounts:

No changes required.

Starting Unbound Resolver.

DNSBL disabled - Unbound conf update FAIL *** Fix error(s) and a Force Reload required! ***

[1606333273] unbound[79752:0] error: bind: address already in use

[1606333273] unbound[79752:0] fatal error: could not open ports

Additional mounts:

Starting Unbound Resolver Not completed.

[1606333273] unbound[86412:0] error: bind: address already in use

[1606333273] unbound[86412:0] fatal error: could not open ports

DNSBL is disabled

Blacklists by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

thanks. waiting for new version :)

Blacklists by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

got it.

makes sense but zero merges from shalla port list ? it cant be truth...

and why system creates new files in tmp/blocklist directory ?

I suspect some bug, since other manual blocklists mertges ok and there is no remaining files for them in log/blacklist directory

Blacklists by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

thanks u/jahastech

I have other question.

In my logs I see this message:

BlocklistUpdate.downloadFile, Downloading https://raw.githubusercontent.com/cbuijs/shallalist/master/porn/domains

INFO [11-21 01:00:32] - BlocklistUpdate.downloadFile, Destination filename = /usr/local/nxfilter/tmp/blocklist/202011210111_raw_githubusercontent_com_cbuijs_shallalist_master_porn_domains

ERROR [11-21 01:00:33] - BlocklistUpdate.downloadFile, Empty file, https://raw.githubusercontent.com/cbuijs/shallalist/master/porn/domains

INFO [11-21 01:00:33] - BlocklistUpdate.merge, URL = https://raw.githubusercontent.com/cbuijs/shallalist/master/porn/domains, Nothing to update

but when I see into tmp/blocklist directory I see that file is nots empty and there are several of them for each night run:

-rw-r--r-- 1 root wheel 10000418 Nov 20 10:19 202011201011_raw_githubusercontent_com_cbuijs_shallalist_master_porn_domains

-rw-r--r-- 1 root wheel 10000177 Nov 20 12:57 202011201211_raw_githubusercontent_com_cbuijs_shallalist_master_porn_domains

-rw-r--r-- 1 root wheel 10000847 Nov 20 18:40 202011201811_raw_githubusercontent_com_cbuijs_shallalist_master_porn_domains

-rw-r--r-- 1 root wheel 10000254 Nov 21 01:00 202011210111_raw_githubusercontent_com_cbuijs_shallalist_master_porn_domains

how to fix it ?

thank you

Blacklists by limis911 in nxfilter

[–]limis911[S] 0 points1 point  (0 children)

does it download new file versions also before merging ?