When I visit a site like pornhub.com I am not blocked and nothing appears in the DNS: Unbound log.
Any ideas why the new IPF DNS Firewall might not be working for me. Any suggestions for further testing?
The only thing I can think of is that I used to run @jon RPZ add-on in the past but stopped using it a while back - perhaps there’s a leftover that needs to be manually uninstalled?
Any input or guidance to resolve this would be greatly appreciated.
# 1 - go to this directory:
cd /opt/pakfire/tmp/
# 2 - download RPZ add-on file:
curl --location \
--url https://github.com/JonMurphy/RPZ_add-on/releases/latest/download/rpz-latest.ipfire.tar \
--output rpz-latest.ipfire.tar
# 3 - list the directory and confirm file exists:
ls -l /opt/pakfire/tmp
# 4 - uncompress the file:
tar --verbose --extract --file="rpz-latest.ipfire.tar"
# 5 - check to make sure there are five (5) files:
ls -l /opt/pakfire/tmp
# 6 - copy one file to a new location:
/bin/cp --verbose --force ROOTFILES /opt/pakfire/db/rootfiles/rpz
# 7 - uninstall RPZ
NAME=rpz ./uninstall.sh
If those steps don't work...
Option 2
Review this directory:
ls -al /etc/unbound/local.d
Note: This is rare but it is good to know:
If you’ve created your own config file, make sure you keep that one config file. And if you want me to examine the files please post the list: ls -al /etc/unbound/local.d
And remove all of the .conf files.
Review this directory:
ls -al /etc/unbound/zonefiles
and remove all of the .rpz files.
Review this file:
ls -al /srv/web/ipfire/cgi-bin/rpz.cgi
and remove the rpz.cgi file.
Once the RPZ related files are gone make sure you do an unbound restart.
I suspect that you have used the pencil icon for the DNS Firewall categories and selected Green.
I also suspect that you have the web proxy enabled.
If the above is not correct then ignore the following.
The default for the DNS Firewall zones is to apply globally.
If you select a zone such as Green then it means that the DNS Firewall will only apply to traffic going to the DNS directly from the chosen zone (say Green).
However if you are using the web proxy then your browser traffic is not going directly to the DNS from Green it is going first to the Web Proxy in IPFire and then the web proxy sends it to the DNS but the traffic is now coming from IPFire itself and not from a system in the Green Zone and therefore does not get blocked.
There are two options that come to mind.
The simplest is to deselect the zones in the DNS Firewall categories so they will be applied globally (Green, Blue, Orange & IPFire itself)
Turn off the proxy in the browser settings so the traffic goes directly to the DNS server
If you want to unselect that green zone then hold down the Ctrl key, place the mouse pointer overr the GREEN zone label and click it and it will unselect.
Press the Update button to save that status.
Then if your browser is just using No Proxy or the System Proxy then my explanation would not apply.
Then it could be that you have some hangover bits that are causing unbound to not work correctly.
You should follow @jon suggestions and see how that goes but you should also be prepared to do a fresh install and restore so that you can be sure to have unbound operating the way it should do for the DNS Firewall.
Thanks @bonnietwin for your suggestions - I now understand the selection / unselection how-to of DBL zones - note that @jon’s RPZ uninstall steps did the trick.
Sorry guys, but I jumped up and danced the jig too soon.
The blocking of pornhub.com was working because I had it defined in the Custom Blocked Domains list on the DNS Firewall panel. But when removed and just relying on ticked lists then pornhub.com is not blocked.
Thanks @alexand - sorry mate then I’m confused with what and how to select zones (see @bonnietwin’s screenshots earlier in this topic) - my understanding is that if I haven’t explicitly selected any zones then the rules are in effect for all zones (isn’t this the default?).
Besides if I have all zones selected like below then pornhub.com is still not blocked…
If you haven’t checked it, it won’t work. In my example, it’s checked to be active for the blue zone. In your current image, you have all zones checked, and it should work. Clear the DNS cache on the host you’re trying from.
Then the text on the DNS Firewall panel “By default, the blocking will apply to the entire network.” - is misleading (and also contradicts what @bonnietwin shared earlier) - suggesting that the wording of the text under “Access Control” needs to be clearer.
On my Linux laptop I ran…. sudo resolvectl flush-caches
Sorry but made no difference - I can still access pornhub.com.
[root@ipfire ~]# cat /etc/unbound/dnsbl.conf
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!
server:
define-tag: "ads.rpz.ipfire.org"
# Request Policy Zone ads.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: ads.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/ads.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: ads.rpz.ipfire.org
server:
define-tag: "gambling.rpz.ipfire.org"
# Request Policy Zone gambling.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: gambling.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/gambling.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: gambling.rpz.ipfire.org
server:
define-tag: "malware.rpz.ipfire.org"
# Request Policy Zone malware.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: malware.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/malware.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: malware.rpz.ipfire.org
# Tags
tags: malware.rpz.ipfire.org
server:
define-tag: "phishing.rpz.ipfire.org"
# Request Policy Zone phishing.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: phishing.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/phishing.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: phishing.rpz.ipfire.org
server:
define-tag: "piracy.rpz.ipfire.org"
# Request Policy Zone piracy.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: piracy.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/piracy.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: piracy.rpz.ipfire.org
server:
define-tag: "porn.rpz.ipfire.org"
# Request Policy Zone porn.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: porn.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/porn.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: porn.rpz.ipfire.org
# Tags
tags: porn.rpz.ipfire.org
server:
define-tag: "smart-tv.rpz.ipfire.org"
# Request Policy Zone smart-tv.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: smart-tv.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/smart-tv.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: smart-tv.rpz.ipfire.org
# Tags
tags: smart-tv.rpz.ipfire.org
server:
define-tag: "violence.rpz.ipfire.org"
# Request Policy Zone violence.rpz.ipfire.org
rpz:
# The name of the RPZ authority zone
name: violence.rpz.ipfire.org
primary: xfr.dbl.ipfire.org
# Cache the content and refresh automatically
zonefile: /var/cache/unbound/violence.rpz.ipfire.org.zone
# Log all matches
rpz-log: yes
rpz-log-name: violence.rpz.ipfire.org
# Write the ACL
server:
access-control-tag: 192.168.10.0/24 "porn.rpz.ipfire.org smart-tv.rpz.ipfire.org"
access-control-tag: 192.168.1.0/24 "porn.rpz.ipfire.org"
access-control-tag: 192.168.20.0/24 "malware.rpz.ipfire.org porn.rpz.ipfire.org"
[root@ipfire ~]#
