Differences

This shows you the differences between two versions of the page.

--- pfsense:pfblockerng:whitelisting [2021/02/07 18:12] – created peter
+++ pfsense:pfblockerng:whitelisting [2021/02/07 18:32] (current) – [Whitelist a specific domain that is blocked] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - pfBlockerNG - Whitelisting ======
-You can remove the offending list entirely (**DNSBL -> DNSBL Groups -> Edit the list in question**) or more preferably, you can just whitelist the domain.
+===== Whitelist the offending list =====
-The absolute easiest way to do this is by going to the **Reports** tab and scrolling down to the DNSBL section.
+Navigate to **Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups**.
-Clicking on the **red** lock will temporarily unlock the domain so you can verify if it is indeed the domain that needs to be whitelisted.
+Edit the list in question.
-Clicking the **+** will add the domain to the DNSBL whitelist.
+----
+===== Whitelist a specific domain that is blocked =====
+Navigate to **Firewall -> pfBlockerNG -> Reports**.
+  * Clicking on the **red** lock will temporarily unlock the domain so you can verify if it is indeed the domain that needs to be whitelisted.
+  * Clicking the **+** will add the domain to the DNSBL whitelist.
 {{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_whitelist.png?800|}}
-When clicking the **+** you will then receive a prompt about whether you want to perform a wildcard whitelist or just a whitelist.
+<WRAP info>
+**NOTE:**  When clicking the **+** you will then receive a prompt about whether you want to perform a wildcard whitelist or just a whitelist.
 Read the explanation, but typically use whitelist because it is more exact and less prone to letting something past.
+If the domain that is being whitelisted has a CNAME records, pfBlockerNG is smart enough to add these too.
 <WRAP tip>
-Adding a description so you know what was broken and/or why you fixed it, i.e. today it makes perfect sense, but it might not 6 months from now.
+**TIP**: Adding a description so you know what was broken and/or why you fixed it.
+It might make sense today of why this was whitelisted, but it might not 6 months from now.
 </WRAP>
+</WRAP>
-If you go back to the main DNSBL tab and expand the DNSBL Whitelist section toward the bottom, you should now see the domain you whitelisted.
+----
-You might also notice that if the domain you are whitelisting has CNAME records, pfBlockerNG is smart enough to add those too.
+===== Check what domains are whitelisted =====
+Navigate to **Firewall -> pfBlockerNG -> DNSBL**.
-Simply type each domain in on a separate line and then click **Save** if you know which domains to whitelist.  If you want the whitelist additions/changes to occur sooner rather than later, you will also need to go back to the **Update** tab and click **Run**.  If you don’t want to do the trial and error on your own see some whitelist recommendations below.
+  * Expand the **DNSBL Whitelist** section toward the bottom.
-It's also worth mentioning that if a system already resolved the domain name on your system and it is previously resolved to 10.10.10.1, then you may need to clear your local DNS cache, your browser cache, or both.  To clear your machine’s cache, from a command line on Windows, type in **ipconfig /flushdns** and that should take care of it.  You can run a similar command on a Linux system, although the commands can vary from one installation to the next.  More often than not, simply restarting your network interface will work; on most distributions, **service networking restart** or **systemctl restart network** should take care of it for you.  Each browser has a slightly different way to clear the cache, however, all of them allow you to pull a new version of the website if you hold down **Shift** while clicking on the refresh/reload button.
+----
-If ads are not getting blocked and the ping commands above don’t return the virtual IP address, it’s also possible your local machine is not using pfSense for its DNS settings. If you are using Windows, check your network settings and make sure it is set to your pfSense IP address. On Linux/*nix, check your /etc/resolv.conf or even Network Manager (if using a GUI).  If you are not using pfSense for your DHCP server, you may need to do some digging.
+===== Add manual entries to the Whitelist =====
-Browsers can also get in the way especially with the advent of DNS over HTTPS.  If you find your ping tests work, but your browser doesn’t, then that is most likely your issue.  Although somewhat uncommon, some anti-virus packages and endpoint protection can mess with your DNS settings too.  Furthermore, those changes may not necessarily be reflected in your operating system’s DNS settings.  For example, Avast Premier has a Secure DNS feature that will force your browser to use Avast specified DNS servers in an effort to prevent DNS hijacking.  If you find that other devices on your network are blocking ads and one particular device doesn’t, then your anti-virus or endpoint protection very well may be the culprit.  When all else fails, you can always fire up Wireshark for a packet capture to ensure your system is querying the DNS server(s) you specify.
+Navigate to **Firewall -> pfBlockerNG -> DNSBL**.
+  * Expand the **DNSBL Whitelist** section toward the bottom.
+<WRAP info>
+**NOTE:**  Simply type each domain in on a separate line and then click **Save**.
+Regex entries are not supported.
+To whitelist all subdomains, prefex the line with a dot.
+In order for the whitelist changes to be picked up by pfBlockerNG, an update needs to be run.
+  * Either wait for the next automated update run to happen; or
+  * Navigate to **Firewall -> pfBlockerNG -> Update** and click **Run**.
+It is recommended to clear your local DNS cache, your browser cache, or both.
+</WRAP>
 ----