DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

This forum is intended to provide straightforward answers for people trying to use DynFi Firewall Open Source firewalls.
We might also try to answer questions related to competitors firewall such as pfSense® and OPNsense® systems.

Moderator: gregober

saleh
Posts: 8
Joined: 20 Nov 2022, 11:16

DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by saleh » 20 Nov 2022, 11:38

Hello DnyFi Team,

I have installed the latest DnyFi Firewall but I don't find the DNS Filtering with DynFi Firewall and Unbound like the below video in you your youtube home page.
https://www.youtube.com/watch?v=TqzOfffl98A
Thank you.
User avatar
gregober
Posts: 244
Joined: 26 Mar 2019, 15:06

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by gregober » 21 Nov 2022, 10:46

I have installed the latest DnyFi Firewall but I don't find the DNS Filtering with DynFi Firewall and Unbound like the below video in you your youtube home page.
https://www.youtube.com/watch?v=TqzOfffl98A
You are right, the latest available version online is labeled 1.0 and does not include the DNS filtering yet.
Version 2.00 soon to be published will include the DNS filtering.

The video has been published a bit in advance… Sorry about this.

The new version shall be available within one to two weeks maximum.
saleh
Posts: 8
Joined: 20 Nov 2022, 11:16

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by saleh » 21 Nov 2022, 18:20

Thank you so much Gregober for the good news.
This feature is perfect and appreciate your great work.
saleh
Posts: 8
Joined: 20 Nov 2022, 11:16

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by saleh » 08 Dec 2022, 21:22

Hello Gregober,

Thank you so much for the new version of DynFi Firewall.
I have tested the new DNS Filtering but not working. I mean not filtered the DNS request. I see no problem in the configuration.

Thank you.
User avatar
gregober
Posts: 244
Joined: 26 Mar 2019, 15:06

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by gregober » 09 Dec 2022, 09:51

For the filter to work, you will need to clear your DNS cache, which OS are you on ?
saleh
Posts: 8
Joined: 20 Nov 2022, 11:16

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by saleh » 09 Dec 2022, 23:40

The problem is not the clear of DNS cache of the OS.
It seem some wrong in the configuration of the unbound. There is no zone files exist for the enabled categories like in my case the advertise and porn categories and no log files exist. Please find the attached files.
Thank you.
Attachments
unbound.PNG
Categories_chart.PNG
DynFi_RPZ.PNG
User avatar
gregober
Posts: 244
Joined: 26 Mar 2019, 15:06

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by gregober » 11 Dec 2022, 17:40

The problem is not the clear of DNS cache of the OS.
It seem some wrong in the configuration of the unbound. There is no zone files exist for the enabled categories like in my case the advertise and porn categories and no log files exist. Please find the attached files.
Thank you.
The configuration is ok, there are edge where if you have dual stack with IPv6 + IPv4 it might not filter properly.

In order for the system to work, you need to have a minimum of 8GB of RAM configured.
In a soon to be released upgrade we will show warning before it is loaded.

The loading of the 5 millions "porn" URL will take about 5/10 minutes on a normal system, if you have faster system, It will take shorter time. You must be patient!

But you absolutely need to have a min of 8GB of RAM and 12GB would be better.
saleh
Posts: 8
Joined: 20 Nov 2022, 11:16

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by saleh » 13 Dec 2022, 22:41

Thank you for your reply.
The RAM in our LAB VM machine is 8GB. I think the selected lists are not downloaded because I don't see any load for Unbound and nothing loaded into memory. How to check if the selected lists are downloaded or not.
User avatar
gregober
Posts: 244
Joined: 26 Mar 2019, 15:06

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by gregober » 14 Dec 2022, 09:16

Thank you for your reply.
The RAM in our LAB VM machine is 8GB. I think the selected lists are not downloaded because I don't see any load for Unbound and nothing loaded into memory. How to check if the selected lists are downloaded or not.
This is strange, did you have a properly working DNS before enabling the RPZ filtering ?

You can check if the rpz files are being downloaded by loging into your firewall and checking the /var/unbound directory.
If things are "ok" you should see some rpz files in there, like in the example below.

They are labbeled "THEME.rpz.dynfi", most of them will take few seconds to be downloaded, not the "porn.rpz.dynfi" which is quite huge and might take a long time (566Mb).

To check if your zone transfer is properly working, you can use the following command:

Code: Select all

drill @188.165.99.8 redirector.rpz.dynfi axfr
Here is the listing of the /var/unbound directory with few rpz zones enabled:

Code: Select all

root@firewall:/var/unbound # ls -alh
total 93834
drwxr-xr-x   9 unbound  unbound    28B Dec 14 07:16 .
drwxr-xr-x  31 root     wheel      31B Dec  6 15:26 ..
-rw-r--r--   1 unbound  unbound   416B Dec 11 22:46 access_lists.conf
-rw-r-----   1 unbound  unbound   102K Dec 11 22:46 cache.dump.gz
drwxr-xr-x   2 unbound  unbound     2B Apr 20  2022 conf.d
dr-xr-xr-x  13 unbound  unbound   512B Dec  7 12:42 dev
-rw-r--r--   1 unbound  unbound   450B Dec  5 23:24 dhcpleases.conf
-rw-r--r--   1 unbound  unbound   7.7K Dec  5 11:36 doh.rpz.dynfi
-rw-r--r--   1 unbound  unbound   124B Dec 11 22:46 domainoverrides.conf
-rw-r--r--   1 unbound  unbound   2.8M Dec  5 11:36 drugs.rpz.dynfi
drwxr-xr-x   2 unbound  unbound     5B Dec 11 22:47 etc
-rw-r--r--   1 unbound  unbound   1.8K Dec 11 22:46 host_entries.conf
drwxr-xr-x   2 unbound  unbound     2B Dec  5 11:31 lib
-rw-r--r--   1 unbound  unbound   566M Dec  5 11:40 porn.rpz.dynfi
-rw-r--r--   1 unbound  unbound   3.0M Dec  5 11:36 redirector.rpz.dynfi
-rw-r--r--   1 unbound  unbound   3.2K Dec 11 22:46 root.hints
-rw-r--r--   1 unbound  unbound   758B Dec 14 07:16 root.key
-rw-r--r--   1 unbound  unbound   314B Dec 11 22:46 rpz.whitelist.zone
drwxr-xr-x   2 unbound  unbound     2B Dec  5 11:31 run
-rw-r--r--   1 unbound  unbound   4.0M Dec  5 11:36 socialmedia.rpz.dynfi
-rw-r--r--   1 unbound  unbound   2.2K Dec 11 22:46 unbound.conf
-rw-------   1 unbound  unbound   2.4K Dec  5 11:31 unbound_control.key
-rw-r-----   1 unbound  unbound   1.4K Dec  5 11:31 unbound_control.pem
-rw-------   1 unbound  unbound   2.4K Dec  5 11:31 unbound_server.key
-rw-r-----   1 unbound  unbound   1.5K Dec  5 11:31 unbound_server.pem
-rw-r--r--   1 unbound  unbound    72K Dec  5 11:36 urlshortener.rpz.dynfi
saleh
Posts: 8
Joined: 20 Nov 2022, 11:16

Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound

Post by saleh » 17 Dec 2022, 08:17

I think the problem occurred because our internet service provider forward all dns traffic on port 53 to own DNS servers so that the selected rpz list is not downloaded. The DNS is working properly only via DNS over TLS like the attached file. Is there any way to let the Firewall to communicate with ip address 188.165.99.8 with port 853 TLS instead the standard port 53.
Thank you.
Attachments
DNS_over_TLS.PNG
Post Reply