Differences

This shows you the differences between two versions of the page.

--- pfsense:pfblockerng:add_dnsbl_feeds [2021/02/07 17:26] – created peter
+++ pfsense:pfblockerng:add_dnsbl_feeds [2021/02/07 18:06] (current) – [Forcing DNSBL feed updates] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - pfBlockerNG - Add DNSBL Feeds ======
+Navigate to **Firewall -> pfBlockerNG -> Feeds**.
+Scroll down to the DNSBL Category section.
+Select the specific list to block by clicking on the **+** key towards the left side.
+For example to include **Easylist**:
+{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist.png?800|}}
+<WRAP info>
+**NOTE:**  If you look toward the right, you will see another checkbox.  This means the individual feed is enabled.
+This subtle distinction is extremely important to understanding how aliases and feeds work.  In addition, if a category ever has a problematic feed, you can always disable that feed instead of the entire category, i.e. we do not need to enable every feed for a particular category.
+For example, if you want to add the **EasyList Adware Filter** or one of the language specific feeds, you would click the **+** sign to the far right and that would add the individual feed to the already existing **EasyList** group.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist_adware_plus.png?800|}}
+<WRAP important>
+**WARNING:**  You can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall.
+It’s quite possible just adding a few categories by themselves is too much for a resource starved firewall!
+This is because feeds are periodically downloaded and likewise, unbound is reloaded regularly.
+If you using a system with limited resources (mainly RAM), you need to be extra careful.
+When in doubt, add feeds slowly and keep an eye on memory, CPU, etc.
+</WRAP>
+</WRAP>
+----
+===== Add Feed hphosts =====
+If we go back to the Feeds, a category (group) recommend adding is hpHosts.  Click the **+** next to the hpHosts header (top left) to add all the feeds related to this category.
+After clicking the **+** next to the hpHosts category, you are taken to a DNSBL feeds page with all of the feeds under that category pre-populated.
+All of the feeds in the list will initially be in the **OFF** state.
+You can go through and enable each one individually or you can click **Enable All** at the bottom of the list.
+{{:pfsense:pfsense_pfblockerng_feeds_hphosts.png?800|}}
+Make sure you switch the **Action** from Disabled to Unbound (below).
+Click **Save DNSBL Settings** at the bottom of the page and you should receive a message at the top along the lines of **<nowiki>Saved [ Type:DNSBL, Name:hpHosts ] configuration</nowiki>**.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_source_definitions.png?800|}}
+Click on the **DNSBL Groups** tab and you will be taken to the DNSBL feeds summary.  Assuming everything went as planned, your feeds summary should include the hphosts.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_groups_summary.png?800|}}
+----
+===== Other items worth mentioning =====
+If you take a look at the **Malicious** category, you will notice that some feeds have selectable options, such as such as the SANS Internet Storm Center feeds (bullet points).
+<WRAP info>
+**NOTE:**  It is recommended to switching the feed from ISC_SDH (high) to ISC_SDL (low) as the high feed has under 20 entries and the low feed includes the high feed.
+In addition, not many false positives have been noticed when using the expanded (low) list.
+</WRAP>
+Take note of the door-arrow graphic icons next to several feeds.
+  * The door-arrow graphic means the feed is a subscription feed, which at the very least means you need to register for it.
+  * Some subscription feeds also have a fee associated with them.
+  * Subscription feeds can have a lower false positive rate and are typically updated on a more frequent basis.
+  * You will see selectable options and subscription feeds throughout the DNSBL feeds so it is important to understand what these graphics mean.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_malicious.png?800|}}
+----
+===== Other recommended feeds =====
+  * hpHosts (all of them) – From MalwareBytes.
+  * BBcan177 – From the creator of pfBlockerNG.
+  * BBC (BBC_DGA_Agr) – From Bambenek Consulting <- This feed is extremely large.
+  * Cryptojackers (all of them) – This blocks cryptojacking software and in-browser miners, but it also blocks various coin exchanges.
+<WRAP alert>
+**ALERT:**  You can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall!
+If you using a system with limited resources (mainly RAM), you need to be extra careful.
+When in doubt, add feeds slowly and keep an eye on memory, CPU, etc
+</WRAP>
+----
+===== Problem Solving a Feed =====
+If you ever experience issues with a particular feed, go to **DNSBL -> DNSBL Groups** and then click the pencil/edit icon next to that particular category.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_groups_summary_edit.png?800|}}
+Once in the category edit screen, simply switch those feeds to **OFF** and then click **save** at the bottom.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_malicious_feed_off.png?800|}}
+You could also delete those feeds.
+----
+===== Forcing DNSBL feed updates =====
+Anytime you make changes, you can either wait for the next update or you can force the changes yourself.
+To force the changes, go over to the **Update** tab within pfBlockerNG.
+<WRAP important>
+**WARNING:**  Heed the warning and make sure you are not going to run the updates near the time your cron job would automatically run.
+If the countdown timer is less than 10 minutes, do not run it and instead just wait for the system to run it automatically.
+</WRAP>
+{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_update.png?800|}}
+Assuming you are good on the time, go ahead and click the **Run** button.
+  * Progress updates will be seen in the gray window below including the number of domains downloaded for each list, when the list was last updated, etc.
+  * pfBlockerNG is smart enough to check for and eliminate duplicate DNS (# Dups) entries between the lists.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_update_run_manually.png?800|}}
+----