Wiki

User Tools

Site Tools

Trace: setup_dnsbl_blocking
pfsense:pfblockerng:install_pfblockerng:setup_dnsbl_blocking

Table of Contents

PFSense - pfBlockerNG - Install pfBlockerNG - Setup DNSBL Blocking

Enable DNSBL

Navigate to Firewall → pfBlockerNG → DNSBL.

In DNSBL:

  • Enable DNSBL: Checked.
  • Wildcard Blocking (TLD): Checked.

WARNING: Wildcard Blocking (TLD) uses a lot of RAM.

Do not enable this on systems with less than 8GB RAM!

This setting enables additional processing to block ALL sub-domains for advanced blocking.

For example, a list with sharewiz.net would also result in blog.sharewiz.net also being blocked if TLD is enabled.

In DNSBL Webserver Configuration:

  • Virtual IP Address: 10.10.10.1. This is the default IP address and should be fine. Only change if needed. Enter an IP address that is not in your internal networks, something like 10.10.10.10.
  • VIP Address Type: IP Alias. The default. Only change if needed.
  • Port: 8081. The default. Only change if needed.
  • SSL Port: 8443. The default. Only change if needed.
  • Webserver Interface: LAN. The default. Only change if needed. Select LAN or another internal interface to listen on.

In DNSBL Configuration:

  • Permit Firewall Rules: Checked.

NOTE:

  • If you ONLY have one LAN interface, leave this setting unchecked.
  • If you have multiple LAN interfaces, check this setting and select each interface to protect.
  • Scroll to the bottom of the page and click the Save button.

In DNSBL Whitelist:

  • See DNSBL Whitelist.
  • Enter the following white-list domains and modify as you like:
  • .play.google.com
.drive.google.com
.accounts.google.com
.www.google.com
.github.com
.outlook.live.com
.edge-live.outlook.office.com # CNAME for (outlook.live.com)
.outlook.ha-live.office365.com # CNAME for (outlook.live.com)
.outlook.ha.office365.com # CNAME for (outlook.live.com)
.outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
.amazonaws.com
.login.live.com
.login.msa.akadns6.net # CNAME for (login.live.com)
.ipv4.login.msa.akadns6.net # CNAME for (login.live.com)
.mail.google.com
.googlemail.l.google.com # CNAME for (mail.google.com)
.pbs.twimg.com
.wildcard.twimg.com # CNAME for (pbs.twimg.com)
.sites.google.com
.www3.l.google.com # CNAME for (sites.google.com)
.docs.google.com
.mobile.free.fr
.plus.google.com
.samsungcloudsolution.net
.samsungelectronics.com
.icloud.com
.microsoft.com
.windows.com
.skype.com
.googleusercontent.com

In DNSBL IPs:

  • List Action: Deny Both.
  • Enable Logging: Enable.

Scroll to the bottom of the page and click the Save button.

Setup DNSBL EasyLists

Navigate to Firewall → pfBlockerNG → Feeds.

Scroll down to the DNSBL Category section.

Select the Easylist by clicking on the + key towards the left side.

NOTE: See: Add DNSBL Feeds.

Set EasyList Feeds to:

  • State: ON
  • Action: Unbound
  • Update Frequency: Once per day

Scroll to the bottom of the page and click the Save button.

Setup Custom DNSBL Lists

See pfBlockerNG DNSBL Lists.

Navigate to Firewall → pfBlockerNG → DNSBL → DNSBL Groups.

Click the Add button.

Give it a Name and Description.

Add in as many DNSBL Source Definitions as needed.

Set:

  • State: ON
  • Action: Unbound
  • Update Frequency: Once per day

For Example:

Return to Install pfBlockerNG or continue to Update Blocking Lists.

pfsense/pfblockerng/install_pfblockerng/setup_dnsbl_blocking.txt · Last modified: 2023/04/22 10:22 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki