Googleadservices

[t84a]

What's blocking this. Even if I disable DNSBL, it still gets blocked. I'd like to unblock it.

[Patrick M. Hausen]

OPNsense does not block any web service by default so it must be something you explicitly configured. If all else fails restore to defaults.

[t84a]

Thanks. I'm running the defaults.

[EricPerl]

Didn't you have an issue with iHeart using one of Stephen Black's lists?

Maybe the block is still active in some cache...

[t84a]

Didn't you have an issue with iHeart using one of Stephen Black's lists?

Maybe the block is still active in some cache...

Where work I look. As I posted, even if I disable blocking, it still gets blocked. Plus, when I look at the log, nothing is getting blocked. Thanks

[EricPerl]

Well, if it has not resolved by now, the cache theory was just a bad guess.

You ought to see actual queries for that domain and replies.
What are the symptoms of the "block"?

As with any internet traffic, you ought to be able to find (in the FW logs) traffic IN on some internal interface, then OUT on wan with a destination equal to what's returned by DNS.

[t84a]

I'm looking at logs but maybe at the wrong ones. Thanks

[t84a]

I can't ping googleadservices.com Diagnostics-Ping

[Seimus]

Do a nslookup please and show the output

nslookup googleadservices.com

Regards,
S.

[t84a]

Thanks see below

[t84a]

Sorry. This post is meaningless without this important information. Setting DNS to Google Public fixed it.

In Chrome settings:

[EricPerl]

So DNS resolves on OPN (using Google's DNS).
You can't ping the IPs returned from OPN (Interfaces diags)? for example 64.233.185.154?

In any case, if your browser is using Google's DNS directly (versus using OPN's DNS), you're using a different path.
On the same machine, the rest of the OS is likely using something else depending on how it's configured.

If you don't configure your devices consistently, troubleshooting needs to take all these settings into consideration.
If your browser is going to 8.8.8.8 (Google public DNS) directly, then DNS filtering on OPN is worthless (port forwarding could handle some use cases, but not DoT).
Using the curl command line could yield a completely different outcome.

Consistent setup:
* No DNS servers in System > Settings > General
* Unbound (Default DNS server) works out of the box as a recursive resolver.
  If you instead want to use DNS over TLS consistently, specify that there (Services > Unbound > DNS over TLS). Pick your provider.
* DHCP by default will by default point clients to the FW's interface IP for DNS (see help tip in Services > ISC DHCP v4 > [Interface] > DNS Servers).
* Don't override settings in browsers so they use OS settings (obtained via DHCP by default).

Then you can test sanely. Verify DNS (GUI or nslookup/dig), Ping (GUI or ping), fetch URL (browser or curl) on different machines (OPN, clients).

[t84a]

I did have the Google DNS in System Settings.  I deleted them and now Googleadservices is blocked again.

[EricPerl]

Start on one end and work your way to the other (for example: OPN, then machine(s), then browser(s) on these machine(s)).

Test DNS (GUI when available, or tool like nslookup).
If it's not working as expected, determine which service is handling the request (Unbound by default on OPN), look at the settings.
Post screenshots if you're stuck.

If you specified an explicit server in your browser, then you're bypassing whatever mechanisms is available at the OS level and whatever infrastructure (e.g. OPN) is used based on configuration at the OS level. That's fine if that's what you want to do but then don't expect DNS filtering on OPN to be effective.

[t84a]

Thanks Eric.

Online NSLookup
Ping and DNSLookup from OPNSense Diagnostics. Ping failed.