pfBlockerNG and VLANs

Hello forum,

I finally got my new Netgate SG-2100 working with three VLANs and my next step is to get pfBlockerNG working…

I have pfBlockerNG installed and it works just fine on LAN connected computers; however, computers that are attached to any of the VLANs still see ads…

I have followed the both videos on both versions of pfBlockerNG; however, no dice!

And clues and places to go and read more information about how to set this up?

What is very odd is that when I do an nslookup on a machine on one of the VLANs, I get:

$ nslookup
> google.com
Server:         127.0.0.53
Address:      127.0.0.53#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.190.110

Which looks good… Also, when I lookup an ad site, I get what I think looks good… as it returns the ad blackhole website…

$ nslookup
> adspeed.net
Server:         127.0.0.53
Address:      127.0.0.53#53

Non-authoritative answer:
Name:   adspeed.net
Address: 10.10.10.1

This seems odd to me, that it looks like pfBlockerNG blocked the ad site and returns 10.10.10.1; however, the ad still shows up on the page…

Thanks,

They are likely using a different DNS server or maybe their browsers are using DNS over HTTPS.

I do have firewall rules for each VLAN to force UPD/53 to the pfSense… I will dig deeper.

DNS over HTTPS bypasses that.

Hum… On Ubuntu, if I do…

$ dig adspeed.net
.
.
.
;; ANSWER SECTION:
adspeed.net.   60   IN   A   10.10.10.1

So it looks like DNS is working; however, your saying that the browser is messing things up… On Ubuntu, it is Firefox…

If I run nmcli, I get:

$ nmcli device show show | grep -i IP4.DNS
IP.DNS[1]:       192.168.20.1

Which is the IP address of the VLAN…

Digging deeper…

Okay, Tom, you were 100% correct! Firefox is using DNS over HTTPS. If I turn that off in the browser, the ads are gone.

So now, I am now reading “Redirecting Client DNS Requests” as well as how to setup DoH blocking in pfSenseNG.