Page 1 of 2
DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 20 Nov 2022, 11:38
by saleh
Hello DnyFi Team,
I have installed the latest DnyFi Firewall but I don't find the DNS Filtering with DynFi Firewall and Unbound like the below video in you your youtube home page.
https://www.youtube.com/watch?v=TqzOfffl98A
Thank you.
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 21 Nov 2022, 10:46
by gregober
You are right, the latest available version online is labeled 1.0 and does not include the DNS filtering yet.
Version 2.00 soon to be published will include the DNS filtering.
The video has been published a bit in advance… Sorry about this.
The new version shall be available within one to two weeks maximum.
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 21 Nov 2022, 18:20
by saleh
Thank you so much Gregober for the good news.
This feature is perfect and appreciate your great work.
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 08 Dec 2022, 21:22
by saleh
Hello Gregober,
Thank you so much for the new version of DynFi Firewall.
I have tested the new DNS Filtering but not working. I mean not filtered the DNS request. I see no problem in the configuration.
Thank you.
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 09 Dec 2022, 09:51
by gregober
For the filter to work, you will need to clear your DNS cache, which OS are you on ?
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 09 Dec 2022, 23:40
by saleh
The problem is not the clear of DNS cache of the OS.
It seem some wrong in the configuration of the unbound. There is no zone files exist for the enabled categories like in my case the advertise and porn categories and no log files exist. Please find the attached files.
Thank you.
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 11 Dec 2022, 17:40
by gregober
The problem is not the clear of DNS cache of the OS.
It seem some wrong in the configuration of the unbound. There is no zone files exist for the enabled categories like in my case the advertise and porn categories and no log files exist. Please find the attached files.
Thank you.
The configuration is ok, there are edge where if you have dual stack with IPv6 + IPv4 it might not filter properly.
In order for the system to work, you need to have a minimum of 8GB of RAM configured.
In a soon to be released upgrade we will
show warning before it is loaded.
The loading of the 5 millions "porn" URL will take about
5/10 minutes on a normal system, if you have faster system, It will take shorter time. You must be patient!
But you absolutely need to have a
min of 8GB of RAM and
12GB would be better.
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 13 Dec 2022, 22:41
by saleh
Thank you for your reply.
The RAM in our LAB VM machine is 8GB. I think the selected lists are not downloaded because I don't see any load for Unbound and nothing loaded into memory. How to check if the selected lists are downloaded or not.
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 14 Dec 2022, 09:16
by gregober
Thank you for your reply.
The RAM in our LAB VM machine is 8GB. I think the selected lists are not downloaded because I don't see any load for Unbound and nothing loaded into memory. How to check if the selected lists are downloaded or not.
This is strange, did you have a properly working DNS before enabling the RPZ filtering ?
You can check if the rpz files are being downloaded by loging into your firewall and checking the /var/unbound directory.
If things are "ok" you should see some rpz files in there, like in the example below.
They are labbeled "THEME.rpz.dynfi", most of them will take few seconds to be downloaded, not the "porn.rpz.dynfi" which is quite huge and might take a long time (566Mb).
To check if your zone transfer is properly working, you can use the following command:
Code: Select all
drill @188.165.99.8 redirector.rpz.dynfi axfr
Here is the listing of the /var/unbound directory with few rpz zones enabled:
Code: Select all
root@firewall:/var/unbound # ls -alh
total 93834
drwxr-xr-x 9 unbound unbound 28B Dec 14 07:16 .
drwxr-xr-x 31 root wheel 31B Dec 6 15:26 ..
-rw-r--r-- 1 unbound unbound 416B Dec 11 22:46 access_lists.conf
-rw-r----- 1 unbound unbound 102K Dec 11 22:46 cache.dump.gz
drwxr-xr-x 2 unbound unbound 2B Apr 20 2022 conf.d
dr-xr-xr-x 13 unbound unbound 512B Dec 7 12:42 dev
-rw-r--r-- 1 unbound unbound 450B Dec 5 23:24 dhcpleases.conf
-rw-r--r-- 1 unbound unbound 7.7K Dec 5 11:36 doh.rpz.dynfi
-rw-r--r-- 1 unbound unbound 124B Dec 11 22:46 domainoverrides.conf
-rw-r--r-- 1 unbound unbound 2.8M Dec 5 11:36 drugs.rpz.dynfi
drwxr-xr-x 2 unbound unbound 5B Dec 11 22:47 etc
-rw-r--r-- 1 unbound unbound 1.8K Dec 11 22:46 host_entries.conf
drwxr-xr-x 2 unbound unbound 2B Dec 5 11:31 lib
-rw-r--r-- 1 unbound unbound 566M Dec 5 11:40 porn.rpz.dynfi
-rw-r--r-- 1 unbound unbound 3.0M Dec 5 11:36 redirector.rpz.dynfi
-rw-r--r-- 1 unbound unbound 3.2K Dec 11 22:46 root.hints
-rw-r--r-- 1 unbound unbound 758B Dec 14 07:16 root.key
-rw-r--r-- 1 unbound unbound 314B Dec 11 22:46 rpz.whitelist.zone
drwxr-xr-x 2 unbound unbound 2B Dec 5 11:31 run
-rw-r--r-- 1 unbound unbound 4.0M Dec 5 11:36 socialmedia.rpz.dynfi
-rw-r--r-- 1 unbound unbound 2.2K Dec 11 22:46 unbound.conf
-rw------- 1 unbound unbound 2.4K Dec 5 11:31 unbound_control.key
-rw-r----- 1 unbound unbound 1.4K Dec 5 11:31 unbound_control.pem
-rw------- 1 unbound unbound 2.4K Dec 5 11:31 unbound_server.key
-rw-r----- 1 unbound unbound 1.5K Dec 5 11:31 unbound_server.pem
-rw-r--r-- 1 unbound unbound 72K Dec 5 11:36 urlshortener.rpz.dynfi
Re: DynFi Firewall & DNS Filtering with DynFi Firewall and Unbound
Posted: 17 Dec 2022, 08:17
by saleh
I think the problem occurred because our internet service provider forward all dns traffic on port 53 to own DNS servers so that the selected rpz list is not downloaded. The DNS is working properly only via DNS over TLS like the attached file. Is there any way to let the Firewall to communicate with ip address 188.165.99.8 with port 853 TLS instead the standard port 53.
Thank you.