====== PFSense - pfBlockerNG - Add DNSBL Feeds ======

Navigate to **Firewall -> pfBlockerNG -> Feeds**.

Scroll down to the DNSBL Category section.

Select the specific list to block by clicking on the **+** key towards the left side.

For example to include **Easylist**:

{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist.png?800|}}

<WRAP info>
**NOTE:**  If you look toward the right, you will see another checkbox.  This means the individual feed is enabled.

This subtle distinction is extremely important to understanding how aliases and feeds work.  In addition, if a category ever has a problematic feed, you can always disable that feed instead of the entire category, i.e. we do not need to enable every feed for a particular category.

For example, if you want to add the **EasyList Adware Filter** or one of the language specific feeds, you would click the **+** sign to the far right and that would add the individual feed to the already existing **EasyList** group.

{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist_adware_plus.png?800|}}

<WRAP important>
**WARNING:**  You can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall.

It’s quite possible just adding a few categories by themselves is too much for a resource starved firewall!

This is because feeds are periodically downloaded and likewise, unbound is reloaded regularly.

If you using a system with limited resources (mainly RAM), you need to be extra careful.

When in doubt, add feeds slowly and keep an eye on memory, CPU, etc.
</WRAP>

</WRAP>


----

===== Add Feed hphosts =====

If we go back to the Feeds, a category (group) recommend adding is hpHosts.  Click the **+** next to the hpHosts header (top left) to add all the feeds related to this category.

After clicking the **+** next to the hpHosts category, you are taken to a DNSBL feeds page with all of the feeds under that category pre-populated.

All of the feeds in the list will initially be in the **OFF** state.

You can go through and enable each one individually or you can click **Enable All** at the bottom of the list.

{{:pfsense:pfsense_pfblockerng_feeds_hphosts.png?800|}}

Make sure you switch the **Action** from Disabled to Unbound (below).

Click **Save DNSBL Settings** at the bottom of the page and you should receive a message at the top along the lines of **<nowiki>Saved [ Type:DNSBL, Name:hpHosts ] configuration</nowiki>**.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_source_definitions.png?800|}}


Click on the **DNSBL Groups** tab and you will be taken to the DNSBL feeds summary.  Assuming everything went as planned, your feeds summary should include the hphosts.


{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_groups_summary.png?800|}}

----

===== Other items worth mentioning =====

If you take a look at the **Malicious** category, you will notice that some feeds have selectable options, such as such as the SANS Internet Storm Center feeds (bullet points).

<WRAP info>
**NOTE:**  It is recommended to switching the feed from ISC_SDH (high) to ISC_SDL (low) as the high feed has under 20 entries and the low feed includes the high feed.

In addition, not many false positives have been noticed when using the expanded (low) list.
</WRAP>

Take note of the door-arrow graphic icons next to several feeds.

  * The door-arrow graphic means the feed is a subscription feed, which at the very least means you need to register for it.
  * Some subscription feeds also have a fee associated with them.
  * Subscription feeds can have a lower false positive rate and are typically updated on a more frequent basis.
  * You will see selectable options and subscription feeds throughout the DNSBL feeds so it is important to understand what these graphics mean.

{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_malicious.png?800|}}

----

===== Other recommended feeds =====

  * hpHosts (all of them) – From MalwareBytes.
  * BBcan177 – From the creator of pfBlockerNG.
  * BBC (BBC_DGA_Agr) – From Bambenek Consulting <- This feed is extremely large.
  * Cryptojackers (all of them) – This blocks cryptojacking software and in-browser miners, but it also blocks various coin exchanges.

<WRAP alert>
**ALERT:**  You can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall!

If you using a system with limited resources (mainly RAM), you need to be extra careful.

When in doubt, add feeds slowly and keep an eye on memory, CPU, etc
</WRAP>


----


===== Problem Solving a Feed =====

If you ever experience issues with a particular feed, go to **DNSBL -> DNSBL Groups** and then click the pencil/edit icon next to that particular category.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_groups_summary_edit.png?800|}}

Once in the category edit screen, simply switch those feeds to **OFF** and then click **save** at the bottom.

{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_malicious_feed_off.png?800|}}

You could also delete those feeds.

----

===== Forcing DNSBL feed updates =====

Anytime you make changes, you can either wait for the next update or you can force the changes yourself.

To force the changes, go over to the **Update** tab within pfBlockerNG.

<WRAP important>
**WARNING:**  Heed the warning and make sure you are not going to run the updates near the time your cron job would automatically run.

If the countdown timer is less than 10 minutes, do not run it and instead just wait for the system to run it automatically.

</WRAP>

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_update.png?800|}}

Assuming you are good on the time, go ahead and click the **Run** button.

  * Progress updates will be seen in the gray window below including the number of domains downloaded for each list, when the list was last updated, etc.
  * pfBlockerNG is smart enough to check for and eliminate duplicate DNS (# Dups) entries between the lists.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_update_run_manually.png?800|}}


----