This walkthrough uses the DNSBL portion of pfBlockerNG to remove ads/advertising and more importantly, malvertising. It essentially creates a functionality similar to the pi-Hole project except it doesn’t require a separate piece of hardware. Instead, you just use your pfSense + pfBlockerNG! If you’re interested in a write-up on installing/configuring the pi-hole on Ubuntu, I have one here.
Please note this walkthrough is for the new devel version of pfBlockerNG. The pfBlockerNG-devel package is now in the standard list of available packages and no longer requires the development/experimental branch of pfSense firmware. Even though the package states “devel,” I have no issues using it in production. First, I was lucky enough to be a beta tester for this release and the number of changes are astounding. Second, the configuration is 10X easier. Last but not least, the package is extremely stable. All that said, if you are still leery about using a “development” package on your pfSense, the older version of this walkthrough is still available at the link below.
<< Old version of this pfBlockerNG DNSBL guide >>
Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL) – Old
Warning: DO NOT install the latest version of pfBlockerNG unless you are on the most up-to-date version of pfSense. This is especially important if you are on a pfSense before 2.4.4. Version 2.4.4 introduced PHP 7.2 and it broke a lot of packages, not just pfBlockerNG. I would argue you should upgrade pfSense to the latest version *before* installing any new packages and the “official” pfSense upgrade guide backs up my philosophy. The upgrade guide also emphasizes creating backups, rebooting before updates, etc. which are all fantastic advice.
I love pfSense and if I could only install one package to enhance its capabilities, it is undoubtedly pfBlockerNG. It is the very first package I install after configuring a brand new pfSense and in some cases, it is the only one. pfBlockerNG is a pfSense package maintained by @BBcan177 (on Twitter). It’s worth mentioning that BBCan177 has a Patreon campaign where you can easily donate a few bucks to ensure he continues maintaining and adding to the package. If your using this in a production environment, I highly encourage you to donate. pfBlockerNG is an absolutely amazing package and I would argue a pfSense install is not complete without it.
pfBlockerNG can add other security enhancements that I’ve discussed on this site such as blocking known bad IP addresses with blocklists (link below). If you don’t already have the blocklist functionality in place on your pfSense, I would strongly suggest adding it after you’re done with this walkthrough.
<< Link goes to the old version as I’m still working on the new guide >>
Using pfBlockerNG (And Block Lists) On pfSense
29May2018 – Originally posted (heavily revised for the new version of pfBlockerNG)
30May2018 – Added TLD feature discussion
4June2018 – Added .cm to TLD block recommendations as well as DNS blocking section
5July 2018 – Added link to Brian Krebs article about TLD ‘badness’
25July2018 – pfBlockerNG-devel no longer requires development firmware
5Sept2018 – Expanded on warning regarding anti-virus and endpoint protection changing DNS settings
27Nov2018 – Added warning about pfSense versions prior to 2.4.4
Why remove advertising?
Advertising is great because it pays content creators for their work. After all, even this site utilizes Google Ads. So why would I create a write-up on blocking ads? Because advertisements are known to carry malicious payloads and it’s impossible to distinguish what’s good and what’s bad. Even the featured image (above) for this article was what I received when I was originally writing this up in my lab with no ad blocking, i.e. I visited a site for 30 seconds on a brand new, fully patched Windows system with an up-to-date Google Chrome install. Yes, advertising really has gotten that bad! And to that end, I’ll happily sacrifice some advertising income for the sake of readers/everyone improving their security. I guess I’ll call that self-deprecating technology! 😉
Upgrading from a previous version
If you installing a pfBlockerNG for the first time, skip this step and go to installation. *If* you have quite a few custom settings such as rules, IPv4 lists, and DNSBL lists and you want to keep all of your settings, go to Firewall -> pfBlockerNG (General) and make sure ‘Keep Settings’ is checked. If it’s not, put a check there and click ‘Save’ at the bottom.
In my opinion, unless you have a very complex setup, my personal opinion is to take the check out of ‘Keep settings’ and setup pfBlockerNG from scratch. As you will see during the setup of the new version, adding feeds is ridiculously easy so don’t assume you are going to spend 20 minutes adding 5 feeds. If you go this route, I would suggest taking screenshots of your various settings as well as the feeds you currently use so you can ensure you add them back in. Trust me when I say that adding feeds in the new version is point and click! Either way, I’ll proceed through this walkthrough whether settings were kept or not and point out the differences along the way.
Go to System -> Package Manager and delete the package.
Go to System -> Package Manager -> Available Packages and type ‘pfblocker’ into the search criteria and then click ‘search.’ Make sure you click ‘install’ on the version with ‘-devel’ at the end of it or the package or you will be installing the old one! On the next page, simply click ‘Confirm’ and let the package install. This will take a bit of time as it has to download several files and databases.
I didn’t need this step on the handful of upgrades/installs I’ve done. However, if you do not see “pfBlockerNG-devel” in the list of available packages, you can also try running ‘pkg update -f’ from the command line. Also, don’t worry about the message about running the geoipupdate.sh shell script. That is only necessary with the IP blocklist functionality in pfBlockerNG.
At this point, you have already installed the package. Next, you will need to enable it from the main page (Firewall -> pfBlockerNG). On this page, click ‘Enable’ next to pfBlockerNG and then ‘Enable’ next to Keep Settings. Don’t forget to click ‘Save’ at the bottom. BTW, just a quick shout out to my buddy, Austin, on the sweet logo he created for pfBlockerNG!!!
Next, go to the DNSBL tab and it will take you to the main DNSBL landing page. Place a checkmark in ‘Enable’ next to DNSBL (below). If you only have one internal interface such as LAN, then you shouldn’t need to do anything else. If you have multiple internal interfaces and you would like to protect them with DNSBL, then you will need to pay attention to the ‘Permit Firewall Rules’ section below. First, place a checkmark in the ‘Enable’ box (red square below). Then, select the various interfaces (to the right) by holding down the ‘Ctrl’ key and left-clicking. Don’t forget to hit ‘Save DNSBL settings’ and move to the DNSBL feeds section.
If your pfSense has plenty of memory, another really amazing feature to consider is TLD (below the DNSBL option in the picture below). This option is required for the TLD blacklists discussed later in the walkthrough. What does the TLD feature provide? Normally, DNSBL (and other DNS blackhole software) block the domains specified in the feeds and that’s that. What TLD does differently is it will block the domain specified in addition to all of a domain’s subdomains. As a result, a bad guy can’t circumvent the blacklist by creating a random subdomain name such as abcd1234.linuxincluded.com (if linuxincluded.com was in a DNSBL feed). That’s really powerful and as far as I know, it is one of the few DNS blackholing software that does it. You can get an idea on memory requirements by clicking on the blue ‘info’ icon next to TLD. If you have less than 2GB of memory on your pfSense, I would skip it. If you’re unsure on your memory, this might be a feature to come back to after you get your feeds and everything else configured. Nonetheless, don’t sleep on this extremely powerful feature because TLD can definitely add several layers of protection.
Configuring DNSBL feeds
Go to ‘Feeds’ (not DNSBL Feeds) at the top. Here you will see all of the pre-configured feeds for the IPv4, IPv6, and DNSBL categories. And yes, there are a bunch of them! You’ll also see custom, user defined feeds at the very bottom if you performed an upgrade and it was unable to match a feed to an existing feed. If you don’t have a “Feeds” sub-menu, that most likely means you are still on the older version of pfBlockerNG. Another way to check is if you have “Alerts” instead of “Reports” along the top row of pfBlockerNG options… That too means you are still on the old version. You can either follow the walkthrough for the older version of pfBlockerNG or switch your pfSense to the devel branch (above).
Scroll down to the ‘DNSBL Category’ header. Click the “+” next to the ADs header (red box below) to add all the feeds related to that category. Note: if you instead click the “+” to the far right of each line (purple box), you will instead only add that individual feed.
If you clicked the ‘+’ next to the ADs category, you are taken to a DNSBL feeds page with all of the feeds under that category pre-populated. All of the feeds in the list will initially be in the ‘OFF’ state. You can go through and enable each one individually or you can click ‘Enable All’ at the bottom of the list (first red box below). Next, make sure you switch the ‘Action’ from Disabled to Unbound (second red box below). Click ‘Save DNSBL Settings’ at the bottom of the page and you should receive a message at the top along the lines of ‘Saved [ Type:DNSBL, Name:ADs ] configuration.’
Click on the ‘DNSBL Feeds’ tab and you will be taken to the DNSBL feeds summary. Assuming everything went as planned, your feeds summary should look similar to the one below.
Go back to the ‘Feeds’ tab up top and then scroll down to the ‘DNSBL category’ section again. We’re going to add another category (after making some changes), but let’s explain everything you see here because there is a lot going on. Looking at the image below, you’ll see the first left orange box up top around the ADs category checkmark means you have a DNSBL category alias for this group. This is the category we just added. On the right hand side, you see the larger orange box. The checkmarks next to each line/feed mean all of those feeds are active in the DNSBL ADs category. This distinction is important to recognize as we add the next category because we do not need to enable every feed for a particular category.
A couple of other items worth mentioning before we add the ‘Malicious’ category. Some feeds have selectable options such as the SANS Internet Storm Center feeds in the purple box. I personally recommend switching the feed from ISC_SDH (high) to ISC_SDL (low) as the high feed has under 20 entries and the low feed includes the high feed. In addition, I haven’t seen many false positives when using the expanded (low) list. Also, take note of the ‘info’ graphic next to the Pulsedive feed highlighted in red below. If you hover over the ‘i’ you will see it states this is a subscription feed, which means you need to pay for it. Subscription feeds can have a lower false positive rate and are typically updated on a more frequent basis. That said, I’m not using them for the purposes of this walkthrough. You will see selectable options and paid feeds throughout the DNSBL feeds so it is important to understand what these graphics mean.
After making the switch to ISC_SDL, click the left-hand plus next to the Malicious category (red arrow below). We’ll start removing feeds in the next screen.
One again, we are taken to the DNSBL feeds with all of the feeds pre-configured. As when we added the ADs list, go ahead and click ‘Enable All’ followed by changing the ‘Action’ to Unbound. Don’t hit save just yet! We don’t want to include the Pulsedive feed unless you have a subscription. I also disable the Malekal feed as I experienced several false positives with it. Your mileage may vary and they very well may have corrected some of the issues I previously experience. After disabling those two feeds, we can again click ‘Save DNSBL Settings’ at the bottom of the page. You should receive a message at the top stating ‘Saved [ Type:DNSBL, Name:Malicious ] configuration.’
Click on the ‘DNSBL Feeds’ tab and you are taken back to the DNSBL feeds summary. Assuming everything went as planned, you should see the ADs and Malicious entries in the summary list. Note: Some readers have stated that if you don’t see the feeds or if pfb_dnsbl won’t start, try adding an empty feed manually.
Adding other feeds is just as easy and you can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall. It’s quite possible just adding these two categories alone is too much for a resource starved firewall! This is because feeds are periodically downloaded and unbound is reloaded every hour. If you using a system with limited resources (mainly RAM), you need to be extra careful. When in doubt, add feeds slowly and keep an eye on memory, CPU, etc. If you happen to have an installation of Nagios Core or Nagios XI available, then I’d also recommend heading over to my article on monitoring pfSense with Nagios.
Aside from ADs and Malicious categories, some other DNSBL categories I use and I have tested quite extensively include the following:
- hpHosts (all of them) – From MalwareBytes
- BBcan177 – From the creator of pfBlockerNG
- BBC (BBC_DGA_Agr) – From Bambenek Consulting <- This feed is extremely large
- Cryptojackers (all of them) – This blocks cryptojacking software and in-browser miners, but it also blocks various coin exchanges.
If you try out some of others and you feel like they worked well for you, please let me know and I’d be happy to make changes to this page based on feedback!
Configuring DNSBL EasyList
Next, go to the DNSBL EasyList tab. Make your screen look like the one below by typing in EasyList in the name and description fields, changing EasyList to “ON”, and then selecting the 4 lists to the right. Note: To select all of the EASYLIST categories you need to hold down the “Ctrl” key while you left-click on each of them. You will also need to change ‘Action’ to Unbound as well as change the ‘Update Freqency’ to Every 4 hours. Once those changes are made, click ‘Save DNSBL EasyList Settings’ at the bottom. It’s also worth mentioning they are privacy related selections in the EasyPrivacy section. I found these to be mostly unusable because they broke several things (mainly related to Amazon), but again, your mileage may vary.
Forcing DNSBL feed updates
Next, go over to the Update tab within pfBlockerNG. Heed the warning in the first red box and make sure you are not going to run the updates near the time your cron job would automatically run. If the countdown timer is less than 3 minutes, I would not recommend running it and instead just wait for the system to run it automatically. Assuming you are good on the time, go ahead and click the ‘Run’ button. You will see progress updates in the gray window below including the number of domains downloaded for each list, when the list was last updated, etc. Also note that pfBlockerNG is smart enough to check for and eliminate duplicate DNS (# Dups) entries between the lists.
[ Spam404 ] Reload [ 05/29/18 16:20:07 ] . completed .. ---------------------------------------------------------------------- Orig. Unique # Dups # White # TOP1M Final ---------------------------------------------------------------------- 7066 7064 62 0 0 7002 ---------------------------------------------------------------------- [ SFS_Toxic_BD ] Reload [ 05/29/18 16:20:08 ] . completed .. ---------------------------------------------------------------------- Orig. Unique # Dups # White # TOP1M Final ---------------------------------------------------------------------- 14244 14242 6 0 0 14236 ---------------------------------------------------------------------- [ VXVault ] Reload [ 05/29/18 16:20:09 ] . completed .. ---------------------------------------------------------------------- Orig. Unique # Dups # White # TOP1M Final ---------------------------------------------------------------------- 85 62 58 0 0 4 ---------------------------------------------------------------------- Saving DNSBL database... completed ------------------------------------------------------------------------ Assembling DNSBL database... completed [ 05/29/18 16:20:14 ] Reloading Unbound Resolver..... completed [ 05/29/18 16:20:17 ] DNSBL update [ 158481 | PASSED ]... completed [ 05/29/18 16:20:18 ] ------------------------------------------------------------------------ ===[ GeoIP Process ]============================================ ===[ IPv4 Process ]================================================= ===[ IPv6 Process ]================================================= ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload No Changes to Aliases, Skipping pfctl Update ===[ FINAL Processing ]===================================== [ Original IP count ] [ 0 ] ===[ DNSBL Domain/IP Counts ] =================================== 158481 total 43442 /var/db/pfblockerng/dnsbl/hpHosts_ATS.txt 20749 /var/db/pfblockerng/dnsbl/MDS.txt 14641 /var/db/pfblockerng/dnsbl/EasyList.txt 14597 /var/db/pfblockerng/dnsbl/Cameleon.txt 14236 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt 9660 /var/db/pfblockerng/dnsbl/SWC.txt 8466 /var/db/pfblockerng/dnsbl/CCT_BD.txt 7738 /var/db/pfblockerng/dnsbl/Abuse_URLBL.txt 7002 /var/db/pfblockerng/dnsbl/Spam404.txt 4529 /var/db/pfblockerng/dnsbl/Abuse_urlhaus.txt 2592 /var/db/pfblockerng/dnsbl/MDS_Immortal.txt 2255 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt 1899 /var/db/pfblockerng/dnsbl/Abuse_DOMBL.txt 1470 /var/db/pfblockerng/dnsbl/ISC_SDL.txt 1081 /var/db/pfblockerng/dnsbl/MDL.txt 1071 /var/db/pfblockerng/dnsbl/D_Me_Malv.txt 930 /var/db/pfblockerng/dnsbl/MVPS.txt 611 /var/db/pfblockerng/dnsbl/BBC_DC2.txt 495 /var/db/pfblockerng/dnsbl/SBL_ADs.txt 402 /var/db/pfblockerng/dnsbl/Adaway.txt 312 /var/db/pfblockerng/dnsbl/Yoyo.txt 140 /var/db/pfblockerng/dnsbl/Ponmocup.txt 45 /var/db/pfblockerng/dnsbl/Botvrij_Dom.txt 42 /var/db/pfblockerng/dnsbl/Abuse_Zeus_BD.txt 28 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt 23 /var/db/pfblockerng/dnsbl/Malc0de.txt 21 /var/db/pfblockerng/dnsbl/H3X_1M.txt 4 /var/db/pfblockerng/dnsbl/VXVault.txt 0 /var/db/pfblockerng/dnsbl/D_Me_Malw.txt ====================[ DNSBL Last Updated List Summary ]============== Jul 31 2015 D_Me_Tracking Mar 9 2016 D_Me_ADs Jan 20 18:32 Adaway
Testing By Browsing
So what does the finished product look like? On many sites like YouTube, you’ll see gray boxes where an ad normally would have been. A browser add-on like uBlock Origin (discussed below) further cleans this up by removing the gray box entirely and it also provides some secondary protections. If you visit Yahoo.com (why? seriously, find a new news site), our pfBlockerNG configuration eliminates the wasteland of ads that you normally see as well (red box below). Many sites will look similar to this with vast regions of white space where ads normally would show and don’t be surprised to find ads intermingled with news on many sites. <- In advertising, it’s all about improving that click through ratio (CTR)!
How it works – testing from the command line
So you see the end result when browsing, but what’s really going on? How the DNSBL portion of pfBlockerNG works is most easily seen via a command line. Normally, you would ping 302br.net and get back their actual IP address. However, with pfBlockerNG properly setup you will instead see a reply of 10.10.10.1, which is the default virtual IP address DNSBL creates. Basically, the ad/malvertising domain name is blackholed instead of displaying (or resolving). Feel free to test this against any domain in any one of the lists that you added. If you followed all of my examples/recommendations above for both ads and malicious sites, you will likely have a DNSBL list that is well into the hundreds of thousands if not millions.
Integral Ad Science
# ping 302br.net PING 302br.net (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1 (10.10.10.1): icmp_seq=1 ttl=64 time=0.684 ms
Yahoo – analytics.yahoo.com
# ping analytics.yahoo.com PING analytics.yahoo.com (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1 (10.10.10.1): icmp_seq=1 ttl=64 time=1.18 ms
Statistics and graphs
Wouldn’t it be nice to see which groups and feeds are working? No problem! The new version of pfBlockerNG has some really fantastic graphs built-in as shown below. You can even see the top blocked domains, source IPs with the most blocks, blocked user agent strings, TLDs, and much more. Super cool! Also super helpful is you need to whittle down the number of feeds you are using, i.e. this feed accounts for 50% of your blocks and it’s a third the size of these other two feeds combined. Just go to Firewall -> pfBlockerNG -> DNSBL Stats to see all the DNSBL eye candy, aka graphs/stats.
What happens if/when a website is inadvertantly blocked? Afterall, it is bound to happen. You can either remove the offending list entirely (DNSBL -> DNSBL Feeds -> Edit the list in question) or more preferably, you can just whitelist the domain. The absolute easiest way to do this is by going to the Reports tab and scrolling down to the DNSBL section. Clicking on the red lock (in the orange box below) will temporarily unlock the domain so you can verify if it is indeed the domain that needs to be whitelisted. Clicking the ‘+’ (in the purple box below) will add the domain to the DNSBL whitelist.
When clicking the ‘+’ you will then receive a prompt about whether you want to perform a wildcard whitelist or just a whitelist. Read the explanation, but I typically use whitelist because it is more exact and less prone to letting something past. I would also suggest adding a description so you know what was broken and/or why you fixed it, i.e. today it makes perfect sense, but it might not 6 months from now. In my years of IT/security, I’ve found documentation is as helpful for me as it is for someone else. Maybe I’m just getting old!
If you go back to the main DNSBL tab and expand the DNSBL Whitelist section toward the bottom, you should now see the domain you whitelisted. You might also notice that if the domain you are whitelisting has CNAME records, pfBlockerNG is smart enough to add those too as shown below.
As you might have expected, you can also simply type each domain in on a separate line and then click ‘Save’ if you know which domains to whitelist. If you want the whitelist additions/changes to occur sooner rather than later, you will also need to go back to the ‘Update’ tab and click ‘Run.’ If you don’t want to do the trial and error on your own (and I *really* think you should), I have provided some whitelist recommendations below.
It’s also worth mentioning that if a system already resolved the domain name on your system and it is previously resolved to 10.10.10.1, then you may need to clear your local DNS cache, your browser cache, or both. To clear your machine’s cache, from a command line on Windows, type in ‘ipconfig /flushdns’ and that should take care of it. You can run a similar command on a Linux system, although the commands can vary from one installation to the next. More often than not, simply restarting your network interface will work; on most distributions, ‘service networking restart’ or ‘systemctl restart network’ should take care of it for you. Each browser has a slightly different way to clear the cache, however, all of them allow you to pull a new version of the website if you hold down “Shift” while clicking on the refresh/reload button.
If ads are not getting blocked and the ping commands above don’t return the virtual IP address, it’s also possible your local machine is not using pfSense for its DNS settings. If you are using Windows, check your network settings and make sure it is set to your pfSense IP address. On Linux/*nix, check your /etc/resolv.conf or even Network Manager (if using a GUI). If you are not using pfSense for your DHCP server, you may need to do some digging.
Although somewhat uncommon, keep in mind that some anti-virus packages and endpoint protection can mess with your DNS settings. Furthermore, those changes may not necessarily be reflected in your operating system’s DNS settings. For example, Avast Premier has a Secure DNS feature that will force your browser to use Avast specified DNS servers in an effort to prevent DNS hijacking. If you find that other devices on your network are blocking ads and one particular device doesn’t, then your anti-virus or endpoint protection very well may be the culprit. When all else fails, you can always fire up Wireshark for a packet capture to ensure your system is querying the DNS server(s) you specify.
These are a few domains I’ve seen cause issues if they end up on the various DNSBLs. You can easily copy and paste them into the “custom list” as described above. If you have no plans to use some of them (based off their name alone), you can and should omit them from your whitelist. Do you have other recommendations beyond the ones I have listed? Let me know and I’ll add them!
s3.amazonaws.com s3-1.amazonaws.com # CNAME for (s3.amazonaws.com) .github.com .githubusercontent.com github.map.fastly.net # CNAME for (raw.githubusercontent.com) .apple.com .sourceforge.net .fls-na.amazon.com # alexa .control.kochava.com # alexa 2 .device-metrics-us-2.amazon.com # alexa 3 .amazon-adsystem.com # amazon app ads .px.moatads.com # amazon app 2 .wildcard.moatads.com.edgekey.net # CNAME for (px.moatads.com) .e13136.g.akamaiedge.net # CNAME for (px.moatads.com) .secure-gl.imrworldwide.com # amazon app 3 .pixel.adsafeprotected.com # amazon app 4 .anycast.pixel.adsafeprotected.com # CNAME for (pixel.adsafeprotected.com) .bs.serving-sys.com # amazon app 5 .bs.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com) .bsla.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com) .adsafeprotected.com # amazon app 6 .anycast.static.adsafeprotected.com # CNAME for (static.adsafeprotected.com) google.com www.google.com youtube.com www.youtube.com youtube-ui.l.google.com # CNAME for (youtube.com) stackoverflow.com www.stackoverflow.com dropbox.com www.dropbox.com www.dropbox-dns.com # CNAME for (dropbox.com) .adsafeprotected.com control.kochava.com secure-gl.imrworldwide.com pbs.twimg.com # twitter images www.pbs.twimg.com # twitter images cs196.wac.edgecastcdn.net # CNAME for (pbs.twimg.com) cs2-wac.apr-8315.edgecastdns.net # CNAME for (pbs.twimg.com) cs2-wac-us.8315.ecdns.net # CNAME for (pbs.twimg.com) cs45.wac.edgecastcdn.net # CNAME for (pbs.twimg.com)
TLD (top-level domain) blacklisting is another option in DNSBL. Don’t forget you need to ‘Enable’ the TLD option at the top of the DNSBL configuration page to use the features discussed here. While I don’t normally advocate static blacklisting because the bad guys will simply move around it, TLD blacklisting is a rare instance where you can eliminate some potential attack vectors although its usefulness depends entirely on your situation. TLDs are the characters after the last dot on a domain name, e.g. com, net, and biz are some common ones. The number of TLDs has skyrocketed and there were well over 1,500 in early 2017! Over time, some TLDs have become wastelands for nefarious activity such as command and control servers. If you no plans to connect with a particular TLD and it has shown to be less than reputable, i.e. most sane companies wouldn’t bother trying to use it, you can just go to the main DNSBL tab and block it outright using the section below.
Even Brian Krebs got in on talking about the how some TLDs are used extensively for typosquatting — Omitting the “o” in .com Could Be Costly. If you don’t want to read the full article, just understand that instead of typing in remax[dot]com, a user mistakenly types in remax[dot]cm and is directed to a malicious site. There are similar alternative .cm domains for ESPN, Hulu, iTunes, Aetna, AOL, Chase, Facebook, WalMart, etc. and over 1000 others. Needless to say, the .cm TLD is not good.
If you’re looking for a little more guidance of what is ‘bad’ then look no further than Spamhaus and the website link below. Our friend Brian Krebs wrote a great article about the badness of TLDs as well. Spamhaus is constantly updating this list and related statistics so check it directly for the most up-to-date information. At the link below, you’ll also find a dropdown to show you the ‘badness’ of every TLD even beyond the top 10 list. At the very least, I would suggest adding the top 3 TLDs in the green box below along with the .cm TLD from the Krebs article. Adding the entire top 10 would likely not cause too many issues, although keep in mind that you will see false positives. For example, note that #8 in the list below is .biz, which is used by legitimate businesses. I’ve added a textual version of the TLD list below the image so you can easily copy/paste it into your firewall.
cm party click link technology gdn study men biz reise stream
DNS blacklists are great, but what if a new ransomware botnet pops up, a user gets infected fairly early in the campaign, and it starts calling previously unknown domains? If your DNSBL feeds are set to update every 4 hours and it takes time for them to get included on that list to begin with, it might take awhile before your DNS catches and blocks it. We need something more real-time… To provide another layer of protection, I would also recommend using Quad9 as your primary DNS on pfSense. I wrote up an article some time ago about how to do just that.
Browser side blocking – Ublock Origin
I constantly preach defense-in-depth and this is no different. You could have every malicious advertising domain on the planet included in your configuration, but a new one will inevitably pop-up 5 minutes from now. Aside from some other defenses, I would also strongly suggest using uBlock Origin on all of your browsers. uBlock Origin exists for Chrome, Firefox, etc. so there really isn’t a reason not to have it! While nothing is foolproof, it is another fantastic addition to your overall security.
Using pfSense as an OpenVPN client
Note the underlined client in the previous headline. This change does not apply to you if you use pfSense as an OpenVPN server, but rather when you use it as an OpenVPN client. In these handful of instances, users are redirecting all of their traffic to a VPN service such as Private Internet Access (PIA) or ExpressVPN. In this scenario, users reported back that their DNS was leaking after configuring the solution above.
You can handle this a number of ways. One possible solution would be use to DNS over TLS as described in Configuring Quad9 on pfSense. Another option is to go to Services -> DNS Resolver and switch the outgoing network interface to LAN only instead of all (shown below). As always, don’t forget to click ‘Save’ after making your changes.
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.