====== PFSense - pfBlockerNG - Whitelisting ======

===== Whitelist the offending list =====

Navigate to **Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups**.

Edit the list in question.

----

===== Whitelist a specific domain that is blocked =====

Navigate to **Firewall -> pfBlockerNG -> Reports**.

  * Clicking on the **red** lock will temporarily unlock the domain so you can verify if it is indeed the domain that needs to be whitelisted.
  * Clicking the **+** will add the domain to the DNSBL whitelist.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_whitelist.png?800|}}

<WRAP info>
**NOTE:**  When clicking the **+** you will then receive a prompt about whether you want to perform a wildcard whitelist or just a whitelist.

Read the explanation, but typically use whitelist because it is more exact and less prone to letting something past.

If the domain that is being whitelisted has a CNAME records, pfBlockerNG is smart enough to add these too.

<WRAP tip>
**TIP**: Adding a description so you know what was broken and/or why you fixed it.

It might make sense today of why this was whitelisted, but it might not 6 months from now.
</WRAP>

</WRAP>

----

===== Check what domains are whitelisted =====

Navigate to **Firewall -> pfBlockerNG -> DNSBL**.

  * Expand the **DNSBL Whitelist** section toward the bottom.

----

===== Add manual entries to the Whitelist =====

Navigate to **Firewall -> pfBlockerNG -> DNSBL**.

  * Expand the **DNSBL Whitelist** section toward the bottom.

<WRAP info>

**NOTE:**  Simply type each domain in on a separate line and then click **Save**.

Regex entries are not supported.

To whitelist all subdomains, prefex the line with a dot.

In order for the whitelist changes to be picked up by pfBlockerNG, an update needs to be run.

  * Either wait for the next automated update run to happen; or
  * Navigate to **Firewall -> pfBlockerNG -> Update** and click **Run**.

It is recommended to clear your local DNS cache, your browser cache, or both.

</WRAP>

----

===== Whitelist Recommendations =====

These are a few domains that cause issues if they end up on the various DNSBLs.

You can easily copy and paste them into the "custom list" as described above.  If you ended up using the pfBlockerNG wizard, BBCan actually incorporated these recommendations already.  If you have no plans to use some of them (based off their name alone), you can and should omit them from your whitelist.  

<code>
s3.amazonaws.com
s3-1.amazonaws.com # CNAME for (s3.amazonaws.com)
.github.com
.githubusercontent.com 
github.map.fastly.net # CNAME for (raw.githubusercontent.com)
.apple.com 
.sourceforge.net
.fls-na.amazon.com # alexa
.control.kochava.com # alexa 2
.device-metrics-us-2.amazon.com # alexa 3
.amazon-adsystem.com # amazon app ads
.px.moatads.com # amazon app 2
.wildcard.moatads.com.edgekey.net # CNAME for (px.moatads.com)
.e13136.g.akamaiedge.net # CNAME for (px.moatads.com)
.secure-gl.imrworldwide.com # amazon app 3
.pixel.adsafeprotected.com # amazon app 4
.anycast.pixel.adsafeprotected.com # CNAME for (pixel.adsafeprotected.com)
.bs.serving-sys.com # amazon app 5
.bs.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com)
.bsla.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com)
.adsafeprotected.com # amazon app 6
.anycast.static.adsafeprotected.com # CNAME for (static.adsafeprotected.com)
google.com
www.google.com
youtube.com
www.youtube.com
youtube-ui.l.google.com # CNAME for (youtube.com)
stackoverflow.com
www.stackoverflow.com
dropbox.com
www.dropbox.com
www.dropbox-dns.com # CNAME for (dropbox.com)
.adsafeprotected.com
control.kochava.com
secure-gl.imrworldwide.com
pbs.twimg.com # twitter images
www.pbs.twimg.com # twitter images
cs196.wac.edgecastcdn.net # CNAME for (pbs.twimg.com)
cs2-wac.apr-8315.edgecastdns.net # CNAME for (pbs.twimg.com)
cs2-wac-us.8315.ecdns.net # CNAME for (pbs.twimg.com)
cs45.wac.edgecastcdn.net # CNAME for (pbs.twimg.com)
</code>

----

===== TLD Blacklisting =====

TLD (top-level domain) blacklisting is another option in DNSBL.

Don’t forget you need to **Enable** the TLD option at the top of the DNSBL configuration page to use the features discussed here. 

Static blacklisting is not normally advocated because the bad guys will simply move around it, TLD blacklisting is a rare instance where you can eliminate some potential attack vectors although its usefulness depends entirely on your situation.  TLDs are the characters after the last dot on a domain name, e.g. com, net, and biz are some common ones.  The number of TLDs has skyrocketed and there were well over 1,500.  Over time, some TLDs have become wastelands for nefarious activity such as command and control servers.  If you no plans to connect with a particular TLD and it has shown to be less than reputable, i.e. most sane companies wouldn’t bother trying to use it for legitimate businesses, you can just go to the main DNSBL tab and block it outright.

Some TLDs are used extensively for typosquatting — Omitting the "o" in .com could Be costly.

If you’re looking for a little more guidance of what is ‘bad’ then look no further than Spamhaus and the website link below.  Spamhaus is constantly updating this list and related statistics so check it directly for the most up-to-date information. 

https://www.spamhaus.org/statistics/tlds/

Suggest adding the top 3 TLDs, as they are used often for 

<code>
cm
party
click
link
</code>

Adding these others would likely not cause too many issues, although keep in mind that you will see false positives:

<code>
technology
gdn
study
men
biz
reise
stream
</code>