Table of Contents
PFSense - pfBlockerNG - Add DNSBL Feeds
Navigate to Firewall → pfBlockerNG → Feeds.
Scroll down to the DNSBL Category section.
Select the specific list to block by clicking on the + key towards the left side.
For example to include Easylist:
NOTE: If you look toward the right, you will see another checkbox. This means the individual feed is enabled.
This subtle distinction is extremely important to understanding how aliases and feeds work. In addition, if a category ever has a problematic feed, you can always disable that feed instead of the entire category, i.e. we do not need to enable every feed for a particular category.
For example, if you want to add the EasyList Adware Filter or one of the language specific feeds, you would click the + sign to the far right and that would add the individual feed to the already existing EasyList group.
WARNING: You can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall.
It’s quite possible just adding a few categories by themselves is too much for a resource starved firewall!
This is because feeds are periodically downloaded and likewise, unbound is reloaded regularly.
If you using a system with limited resources (mainly RAM), you need to be extra careful.
When in doubt, add feeds slowly and keep an eye on memory, CPU, etc.
Add Feed hphosts
If we go back to the Feeds, a category (group) recommend adding is hpHosts. Click the + next to the hpHosts header (top left) to add all the feeds related to this category.
After clicking the + next to the hpHosts category, you are taken to a DNSBL feeds page with all of the feeds under that category pre-populated.
All of the feeds in the list will initially be in the OFF state.
You can go through and enable each one individually or you can click Enable All at the bottom of the list.
Make sure you switch the Action from Disabled to Unbound (below).
Click Save DNSBL Settings at the bottom of the page and you should receive a message at the top along the lines of Saved [ Type:DNSBL, Name:hpHosts ] configuration.
Click on the DNSBL Groups tab and you will be taken to the DNSBL feeds summary. Assuming everything went as planned, your feeds summary should include the hphosts.
Other items worth mentioning
If you take a look at the Malicious category, you will notice that some feeds have selectable options, such as such as the SANS Internet Storm Center feeds (bullet points).
NOTE: It is recommended to switching the feed from ISC_SDH (high) to ISC_SDL (low) as the high feed has under 20 entries and the low feed includes the high feed.
In addition, not many false positives have been noticed when using the expanded (low) list.
Take note of the door-arrow graphic icons next to several feeds.
- The door-arrow graphic means the feed is a subscription feed, which at the very least means you need to register for it.
- Some subscription feeds also have a fee associated with them.
- Subscription feeds can have a lower false positive rate and are typically updated on a more frequent basis.
- You will see selectable options and subscription feeds throughout the DNSBL feeds so it is important to understand what these graphics mean.
Other recommended feeds
- hpHosts (all of them) – From MalwareBytes.
- BBcan177 – From the creator of pfBlockerNG.
- BBC (BBC_DGA_Agr) – From Bambenek Consulting ← This feed is extremely large.
- Cryptojackers (all of them) – This blocks cryptojacking software and in-browser miners, but it also blocks various coin exchanges.
ALERT: You can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall!
If you using a system with limited resources (mainly RAM), you need to be extra careful.
When in doubt, add feeds slowly and keep an eye on memory, CPU, etc
Problem Solving a Feed
If you ever experience issues with a particular feed, go to DNSBL → DNSBL Groups and then click the pencil/edit icon next to that particular category.
Once in the category edit screen, simply switch those feeds to OFF and then click save at the bottom.
You could also delete those feeds.
Forcing DNSBL feed updates
Anytime you make changes, you can either wait for the next update or you can force the changes yourself.
To force the changes, go over to the Update tab within pfBlockerNG.
WARNING: Heed the warning and make sure you are not going to run the updates near the time your cron job would automatically run.
If the countdown timer is less than 10 minutes, do not run it and instead just wait for the system to run it automatically.
Assuming you are good on the time, go ahead and click the Run button.
- Progress updates will be seen in the gray window below including the number of domains downloaded for each list, when the list was last updated, etc.
- pfBlockerNG is smart enough to check for and eliminate duplicate DNS (# Dups) entries between the lists.
