====== PFSense - pfBlockerNG - Install pfBlockerNG - Setup DNSBL Blocking ======

===== Enable DNSBL =====

Navigate to **Firewall -> pfBlockerNG -> DNSBL**.

In **DNSBL**:

  * Enable DNSBL:  **Checked**.
  * Wildcard Blocking (TLD):  **Checked**.

<WRAP warning>
**WARNING:**  Wildcard Blocking (TLD) uses a lot of RAM.

Do not enable this on systems with less than 8GB RAM!

This setting enables additional processing to block ALL sub-domains for advanced blocking.

For example, a list with sharewiz.net would also result in blog.sharewiz.net also being blocked if TLD is enabled.

</WRAP>

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_tld.png?800|}}

----

In **DNSBL Webserver Configuration**:

  * Virtual IP Address: **10.10.10.1**.  This is the default IP address and should be fine.  Only change if needed.  Enter an IP address that is not in your internal networks, something like 10.10.10.10.
  * VIP Address Type: **IP Alias**.  The default.  Only change if needed.
  * Port: **8081**. The default.  Only change if needed.
  * SSL Port: **8443**.  The default.  Only change if needed.
  * Webserver Interface:  **LAN**.  The default.  Only change if needed.  Select LAN or another internal interface to listen on.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_webserver_configuration.png?800|}}

----

In **DNSBL Configuration**:

  * Permit Firewall Rules:  **Checked**.

<WRAP info>
**NOTE:**

  * If you ONLY have one LAN interface, leave this setting unchecked.
  * If you have multiple LAN interfaces, check this setting and select each interface to protect.

</WRAP>

  * Scroll to the bottom of the page and click the **Save** button.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_permit_firewall_rules_multiple_lans.png?800|}}

----

In **DNSBL Whitelist**:

  * See [[PFSense:pfBlockerNG:DNSBL:DNSBL Whitelist|DNSBL Whitelist]].
  * Enter the following white-list domains and modify as you like:
  * <code>
.play.google.com
.drive.google.com
.accounts.google.com
.www.google.com
.github.com
.outlook.live.com
.edge-live.outlook.office.com # CNAME for (outlook.live.com)
.outlook.ha-live.office365.com # CNAME for (outlook.live.com)
.outlook.ha.office365.com # CNAME for (outlook.live.com)
.outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
.amazonaws.com
.login.live.com
.login.msa.akadns6.net # CNAME for (login.live.com)
.ipv4.login.msa.akadns6.net # CNAME for (login.live.com)
.mail.google.com
.googlemail.l.google.com # CNAME for (mail.google.com)
.pbs.twimg.com
.wildcard.twimg.com # CNAME for (pbs.twimg.com)
.sites.google.com
.www3.l.google.com # CNAME for (sites.google.com)
.docs.google.com
.mobile.free.fr
.plus.google.com
.samsungcloudsolution.net
.samsungelectronics.com
.icloud.com
.microsoft.com
.windows.com
.skype.com
.googleusercontent.com
</code>

----

In **DNSBL IPs**:

  * List Action: **Deny Both**.
  * Enable Logging: **Enable**.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_dnsbl_ips.png?800|}}


Scroll to the bottom of the page and click the **Save** button.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_save.png?800|}}

----

===== Setup DNSBL EasyLists =====

Navigate to **Firewall -> pfBlockerNG -> Feeds**.

Scroll down to the **DNSBL Category** section.

Select the **Easylist** by clicking on the **+** key towards the left side.

{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist.png?800|}}

<WRAP info>
**NOTE:**  See:  [[PFSense:pfBlockerNG:Add DNSBL Feeds|Add DNSBL Feeds]].
</WRAP>

----

Set EasyList Feeds to:

  * State: **ON**
  * Action: **Unbound**
  * Update Frequency: **Once per day**

{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist_feeds.png?800|}}

Scroll to the bottom of the page and click the **Save** button.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_save.png?800|}}

----

===== Setup Custom DNSBL Lists =====

See [[PFSense:pfBlockerNG:pfBlockerNG DNSBL Lists|pfBlockerNG DNSBL Lists]].

Navigate to **Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups**.

Click the **Add** button.

Give it a **Name** and **Description**.

Add in as many **DNSBL Source Definitions** as needed.

Set:

  * State: **ON**
  * Action: **Unbound**
  * Update Frequency: **Once per day**

For Example:

{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_pi_hole.png?800|}}

----

Return to [[PFSense:pfBlockerNG:Install pfBlockerNG|Install pfBlockerNG]] or continue to [[PFSense:pfBlockerNG:Install pfBlockerNG:Update Blocking Lists|Update Blocking Lists]].

----