Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)

Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)

This walkthrough uses the DNSBL portion of pfBlockerNG to remove ads/advertising and more importantly, malvertising. It essentially creates a functionality similar to the pi-Hole project except it doesn’t require a separate piece of hardware. Instead, you just use your pfSense + pfBlockerNG! If you’re interested in a write-up on installing/configuring the pi-hole on Ubuntu, I have one here.

Please note this walkthrough is for the new devel version of pfBlockerNG. The pfBlockerNG-devel package is now in the standard list of available packages and no longer requires the development/experimental branch of pfSense firmware. Even though the package states “devel,” I have no issues using it in production. First, I was lucky enough to be a beta tester for this release and the number of changes are astounding. Second, the configuration is 10X easier. Last but not least, the package is extremely stable. All that said, if you are still leery about using a “development” package on your pfSense, the older version of this walkthrough is still available at the link below.

<< Old version of this pfBlockerNG DNSBL guide >>
Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL) – Old

I love pfSense and if I could only install one package to enhance its capabilities, it is undoubtedly pfBlockerNG. It is the very first package I install after configuring a brand new pfSense and in some cases, it is the only one. pfBlockerNG is a pfSense package maintained by @BBcan177 (on Twitter). It’s worth mentioning that BBCan177 has a Patreon campaign where you can easily donate a few bucks to ensure he continues maintaining and adding to the package. If your using this in a production environment, I highly encourage you to donate. pfBlockerNG is an absolutely amazing package and I would argue a pfSense install is not complete without it.

pfBlockerNG can add other security enhancements that I’ve discussed on this site such as blocking known bad IP addresses with blocklists (link below). If you don’t already have the blocklist functionality in place on your pfSense, I would strongly suggest adding it after you’re done with this walkthrough.

<< Link goes to the old version as I’m still working on the new guide >>
Using pfBlockerNG (And Block Lists) On pfSense

Changelog
29May2018 – Originally posted (heavily revised for the new version of pfBlockerNG)
30May2018 – Added TLD feature discussion
4June2018 – Added .cm to TLD block recommendations as well as DNS blocking section
5July 2018 – Added link to Brian Krebs article about TLD ‘badness’
25July2018 – pfBlockerNG-devel no longer requires development firmware
5Sept2018 – Expanded on warning regarding anti-virus and endpoint protection changing DNS settings

Why remove advertising?

Advertising is great because it pays content creators for their work. After all, even this site utilizes Google Ads. So why would I create a write-up on blocking ads? Because advertisements are known to carry malicious payloads and it’s impossible to distinguish what’s good and what’s bad. Even the featured image (above) for this article was what I received when I was originally writing this up in my lab with no ad blocking, i.e. I visited a site for 30 seconds on a brand new, fully patched Windows system with an up-to-date Google Chrome install. Yes, advertising really has gotten that bad! And to that end, I’ll happily sacrifice some advertising income for the sake of readers/everyone improving their security. I guess I’ll call that self-deprecating technology! 😉

Upgrading from a previous version

If you installing a pfBlockerNG for the first time, skip this step and go to installation. *If* you have quite a few custom settings such as rules, IPv4 lists, and DNSBL lists and you want to keep all of your settings, go to Firewall -> pfBlockerNG (General) and make sure ‘Keep Settings’ is checked. If it’s not, put a check there and click ‘Save’ at the bottom.

old pfblockerng keep ettings

In my opinion, unless you have a very complex setup, my personal opinion is to take the check out of ‘Keep settings’ and setup pfBlockerNG from scratch. As you will see during the setup of the new version, adding feeds is ridiculously easy so don’t assume you are going to spend 20 minutes adding 5 feeds. If you go this route, I would suggest taking screenshots of your various settings as well as the feeds you currently use so you can ensure you add them back in. Trust me when I say that adding feeds in the new version is point and click! Either way, I’ll proceed through this walkthrough whether settings were kept or not and point out the differences along the way.

Go to System -> Package Manager and delete the package.

Delete pfBlockerNG

Installation

Go to System -> Package Manager -> Available Packages and type ‘pfblocker’ into the search criteria and then click ‘search.’ Make sure you click ‘install’ on the version with ‘-devel’ at the end of it or the package or you will be installing the old one! On the next page, simply click ‘Confirm’ and let the package install. This will take a bit of time as it has to download several files and databases.

I didn’t need this step on the handful of upgrades/installs I’ve done. However, if you do not see “pfBlockerNG-devel” in the list of available packages, you can also try running ‘pkg update -f’ from the command line. Also, don’t worry about the message about running the geoipupdate.sh shell script. That is only necessary with the IP blocklist functionality in pfBlockerNG.

Installing pfBlockerNG devel

At this point, you have already installed the package. Next, you will need to enable it from the main page (Firewall -> pfBlockerNG). On this page, click ‘Enable’ next to pfBlockerNG and then ‘Enable’ next to Keep Settings. Don’t forget to click ‘Save’ at the bottom. BTW, just a quick shout out to my buddy, Austin, on the sweet logo he created for pfBlockerNG!!!

New pfBlockerNG main page

Configuring DNSBL

Next, go to the DNSBL tab and it will take you to the main DNSBL landing page. Place a checkmark in ‘Enable’ next to DNSBL (below). If you only have one internal interface such as LAN, then you shouldn’t need to do anything else. If you have multiple internal interfaces and you would like to protect them with DNSBL, then you will need to pay attention to the ‘Permit Firewall Rules’ section below. First, place a checkmark in the ‘Enable’ box (red square below). Then, select the various interfaces (to the right) by holding down the ‘Ctrl’ key and left-clicking. Don’t forget to hit ‘Save DNSBL settings’ and move to the DNSBL feeds section.

If your pfSense has plenty of memory, another really amazing feature to consider is TLD (below the DNSBL option in the picture below). This option is required for the TLD blacklists discussed later in the walkthrough. What does the TLD feature provide? Normally, DNSBL (and other DNS blackhole software) block the domains specified in the feeds and that’s that. What TLD does differently is it will block the domain specified in addition to all of a domain’s subdomains. As a result, a bad guy can’t circumvent the blacklist by creating a random subdomain name such as abcd1234.linuxincluded.com (if linuxincluded.com was in a DNSBL feed). That’s really powerful and as far as I know, it is one of the few DNS blackholing software that does it. You can get an idea on memory requirements by clicking on the blue ‘info’ icon next to TLD. If you have less than 2GB of memory on your pfSense, I would skip it. If you’re unsure on your memory, this might be a feature to come back to after you get your feeds and everything else configured. Nonetheless, don’t sleep on this extremely powerful feature because TLD can definitely add several layers of protection.

DNSBL main page

Configuring DNSBL feeds

Go to ‘Feeds’ (not DNSBL Feeds) at the top. Here you will see all of the pre-configured feeds for the IPv4, IPv6, and DNSBL categories. And yes, there are a bunch of them! You’ll also see custom, user defined feeds at the very bottom if you performed an upgrade and it was unable to match a feed to an existing feed. If you don’t have a “Feeds” sub-menu, that most likely means you are still on the older version of pfBlockerNG. Another way to check is if you have “Alerts” instead of “Reports” along the top row of pfBlockerNG options… That too means you are still on the old version. You can either follow the walkthrough for the older version of pfBlockerNG or switch your pfSense to the devel branch (above).

Scroll down to the ‘DNSBL Category’ header. Click the “+” next to the ADs header (red box below) to add all the feeds related to that category. Note: if you instead click the “+” to the far right of each line (purple box), you will instead only add that individual feed.

DNSBL add ads category

If you clicked the ‘+’ next to the ADs category, you are taken to a DNSBL feeds page with all of the feeds under that category pre-populated. All of the feeds in the list will initially be in the ‘OFF’ state. You can go through and enable each one individually or you can click ‘Enable All’ at the bottom of the list (first red box below). Next, make sure you switch the ‘Action’ from Disabled to Unbound (second red box below). Click ‘Save DNSBL Settings’ at the bottom of the page and you should receive a message at the top along the lines of ‘Saved [ Type:DNSBL, Name:ADs ] configuration.’

Enabling DNSBL ads feed

Click on the ‘DNSBL Feeds’ tab and you will be taken to the DNSBL feeds summary. Assuming everything went as planned, your feeds summary should look similar to the one below.

DNSBL feeds summary

Go back to the ‘Feeds’ tab up top and then scroll down to the ‘DNSBL category’ section again. We’re going to add another category (after making some changes), but let’s explain everything you see here because there is a lot going on. Looking at the image below, you’ll see the first left orange box up top around the ADs category checkmark means you have a DNSBL category alias for this group. This is the category we just added. On the right hand side, you see the larger orange box. The checkmarks next to each line/feed mean all of those feeds are active in the DNSBL ADs category. This distinction is important to recognize as we add the next category because we do not need to enable every feed for a particular category.

A couple of other items worth mentioning before we add the ‘Malicious’ category. Some feeds have selectable options such as the SANS Internet Storm Center feeds in the purple box. I personally recommend switching the feed from ISC_SDH (high) to ISC_SDL (low) as the high feed has under 20 entries and the low feed includes the high feed. In addition, I haven’t seen many false positives when using the expanded (low) list. Also, take note of the ‘info’ graphic next to the Pulsedive feed highlighted in red below. If you hover over the ‘i’ you will see it states this is a subscription feed, which means you need to pay for it. Subscription feeds can have a lower false positive rate and are typically updated on a more frequent basis. That said, I’m not using them for the purposes of this walkthrough. You will see selectable options and paid feeds throughout the DNSBL feeds so it is important to understand what these graphics mean.

After making the switch to ISC_SDL, click the left-hand plus next to the Malicious category (red arrow below). We’ll start removing feeds in the next screen.

Add Malicious DNSBL category

One again, we are taken to the DNSBL feeds with all of the feeds pre-configured. As when we added the ADs list, go ahead and click ‘Enable All’ followed by changing the ‘Action’ to Unbound. Don’t hit save just yet! We don’t want to include the Pulsedive feed unless you have a subscription. I also disable the Malekal feed as I experienced several false positives with it. Your mileage may vary and they very well may have corrected some of the issues I previously experience. After disabling those two feeds, we can again click ‘Save DNSBL Settings’ at the bottom of the page. You should receive a message at the top stating ‘Saved [ Type:DNSBL, Name:Malicious ] configuration.’

Turning off feeds in malicious category

Click on the ‘DNSBL Feeds’ tab and you are taken back to the DNSBL feeds summary. Assuming everything went as planned, you should see the ADs and Malicious entries in the summary list.

DNSBL feeds summary 2

Adding other feeds is just as easy and you can add as many feeds as you like, but keep in mind that too many feeds can potentially slow down your firewall. It’s quite possible just adding these two categories alone is too much for a resource starved firewall! This is because feeds are periodically downloaded and unbound is reloaded every hour.  If you using a system with limited resources (mainly RAM), you need to be extra careful. When in doubt, add feeds slowly and keep an eye on memory, CPU, etc. If you happen to have an installation of Nagios Core or Nagios XI available, then I’d also recommend heading over to my article on monitoring pfSense with Nagios

Aside from ADs and Malicious categories, some other DNSBL categories I use and I have tested quite extensively include the following:

  • hpHosts (all of them) – From MalwareBytes
  • BBcan177 – From the creator of pfBlockerNG
  • BBC (BBC_DGA_Agr) – From Bambenek Consulting <- This feed is extremely large
  • Cryptojackers (all of them) – This blocks cryptojacking software and in-browser miners, but it also blocks various coin exchanges.

If you try out some of others and you feel like they worked well for you, please let me know and I’d be happy to make changes to this page based on feedback!

Configuring DNSBL EasyList

Next, go to the DNSBL EasyList tab. Make your screen look like the one below by typing in EasyList in the name and description fields, changing EasyList to “ON”, and then selecting the 4 lists to the right. Note: To select all of the EASYLIST categories you need to hold down the “Ctrl” key while you left-click on each of them. You will also need to change ‘Action’ to Unbound as well as change the ‘Update Freqency’ to Every 4 hours. Once those changes are made, click ‘Save DNSBL EasyList Settings’ at the bottom. It’s also worth mentioning they are privacy related selections in the EasyPrivacy section. I found these to be mostly unusable because they broke several things (mainly related to Amazon), but again, your mileage may vary.

DNSBL easylist selections

Forcing DNSBL feed updates

Next, go over to the Update tab within pfBlockerNG. Heed the warning in the first red box and make sure you are not going to run the updates near the time your cron job would automatically run. If the countdown timer is less than 3 minutes, I would not recommend running it and instead just wait for the system to run it automatically. Assuming you are good on the time, go ahead and click the ‘Run’ button. You will see progress updates in the gray window below including the number of domains downloaded for each list, when the list was last updated, etc. Also note that pfBlockerNG is smart enough to check for and eliminate duplicate DNS (# Dups) entries between the lists.

Updating DNSBL lists

[ Spam404 ] Reload [ 05/29/18 16:20:07 ] . completed ..
----------------------------------------------------------------------
Orig. Unique # Dups # White # TOP1M Final 
----------------------------------------------------------------------
7066 7064 62 0 0 7002 
----------------------------------------------------------------------

[ SFS_Toxic_BD ] Reload [ 05/29/18 16:20:08 ] . completed ..
----------------------------------------------------------------------
Orig. Unique # Dups # White # TOP1M Final 
----------------------------------------------------------------------
14244 14242 6 0 0 14236 
----------------------------------------------------------------------

[ VXVault ] Reload [ 05/29/18 16:20:09 ] . completed ..
----------------------------------------------------------------------
Orig. Unique # Dups # White # TOP1M Final 
----------------------------------------------------------------------
85 62 58 0 0 4 
----------------------------------------------------------------------

Saving DNSBL database... completed

------------------------------------------------------------------------
Assembling DNSBL database... completed [ 05/29/18 16:20:14 ]
Reloading Unbound Resolver..... completed [ 05/29/18 16:20:17 ]
DNSBL update [ 158481 | PASSED ]... completed [ 05/29/18 16:20:18 ]
------------------------------------------------------------------------

===[ GeoIP Process ]============================================


===[ IPv4 Process ]=================================================


===[ IPv6 Process ]=================================================


===[ Aliastables / Rules ]==========================================

No changes to Firewall rules, skipping Filter Reload
No Changes to Aliases, Skipping pfctl Update

===[ FINAL Processing ]=====================================

[ Original IP count ] [ 0 ]

===[ DNSBL Domain/IP Counts ] ===================================

158481 total
43442 /var/db/pfblockerng/dnsbl/hpHosts_ATS.txt
20749 /var/db/pfblockerng/dnsbl/MDS.txt
14641 /var/db/pfblockerng/dnsbl/EasyList.txt
14597 /var/db/pfblockerng/dnsbl/Cameleon.txt
14236 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt
9660 /var/db/pfblockerng/dnsbl/SWC.txt
8466 /var/db/pfblockerng/dnsbl/CCT_BD.txt
7738 /var/db/pfblockerng/dnsbl/Abuse_URLBL.txt
7002 /var/db/pfblockerng/dnsbl/Spam404.txt
4529 /var/db/pfblockerng/dnsbl/Abuse_urlhaus.txt
2592 /var/db/pfblockerng/dnsbl/MDS_Immortal.txt
2255 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt
1899 /var/db/pfblockerng/dnsbl/Abuse_DOMBL.txt
1470 /var/db/pfblockerng/dnsbl/ISC_SDL.txt
1081 /var/db/pfblockerng/dnsbl/MDL.txt
1071 /var/db/pfblockerng/dnsbl/D_Me_Malv.txt
930 /var/db/pfblockerng/dnsbl/MVPS.txt
611 /var/db/pfblockerng/dnsbl/BBC_DC2.txt
495 /var/db/pfblockerng/dnsbl/SBL_ADs.txt
402 /var/db/pfblockerng/dnsbl/Adaway.txt
312 /var/db/pfblockerng/dnsbl/Yoyo.txt
140 /var/db/pfblockerng/dnsbl/Ponmocup.txt
45 /var/db/pfblockerng/dnsbl/Botvrij_Dom.txt
42 /var/db/pfblockerng/dnsbl/Abuse_Zeus_BD.txt
28 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt
23 /var/db/pfblockerng/dnsbl/Malc0de.txt
21 /var/db/pfblockerng/dnsbl/H3X_1M.txt
4 /var/db/pfblockerng/dnsbl/VXVault.txt
0 /var/db/pfblockerng/dnsbl/D_Me_Malw.txt

====================[ DNSBL Last Updated List Summary ]==============

Jul 31 2015 D_Me_Tracking
Mar 9 2016 D_Me_ADs
Jan 20 18:32 Adaway

Testing By Browsing

So what does the finished product look like? On many sites like YouTube, you’ll see gray boxes where an ad normally would have been. A browser add-on like uBlock Origin (discussed below) further cleans this up by removing the gray box entirely and it also provides some secondary protections. If you visit Yahoo.com (why? seriously, find a new news site), our pfBlockerNG configuration eliminates the wasteland of ads that you normally see as well (red box below). Many sites will look similar to this with vast regions of white space where ads normally would show and don’t be surprised to find ads intermingled with news on many sites. <- In advertising, it’s all about improving that click through ratio (CTR)!

Blocking Ads on Yahoo

How it works – testing from the command line

So you see the end result when browsing, but what’s really going on? How the DNSBL portion of pfBlockerNG works is most easily seen via a command line. Normally, you would ping 302br.net and get back their actual IP address. However, with pfBlockerNG properly setup you will instead see a reply of 10.10.10.1, which is the default virtual IP address DNSBL creates. Basically, the ad/malvertising domain name is blackholed instead of displaying (or resolving). Feel free to test this against any domain in any one of the lists that you added. If you followed all of my examples/recommendations above for both ads and malicious sites, you will likely have a DNSBL list that is well into the hundreds of thousands if not millions.

Integral Ad Science

# ping 302br.net
PING 302br.net (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1 (10.10.10.1): icmp_seq=1 ttl=64 time=0.684 ms

Yahoo – analytics.yahoo.com

# ping analytics.yahoo.com 
PING analytics.yahoo.com (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1 (10.10.10.1): icmp_seq=1 ttl=64 time=1.18 ms

Statistics and graphs

Wouldn’t it be nice to see which groups and feeds are working? No problem! The new version of pfBlockerNG has some really fantastic graphs built-in as shown below. You can even see the top blocked domains, source IPs with the most blocks, blocked user agent strings, TLDs, and much more. Super cool! Also super helpful is you need to whittle down the number of feeds you are using, i.e. this feed accounts for 50% of your blocks and it’s a third the size of these other two feeds combined. Just go to Firewall -> pfBlockerNG -> DNSBL Stats to see all the DNSBL eye candy, aka graphs/stats.

DNSBL graphs

DNSBL top feeds

Troubleshooting/Whitelisting

What happens if/when a website is inadvertantly blocked? Afterall, it is bound to happen. You can either remove the offending list entirely (DNSBL -> DNSBL Feeds -> Edit the list in question) or more preferably, you can just whitelist the domain. The absolute easiest way to do this is by going to the Reports tab and scrolling down to the DNSBL section. Clicking on the red lock (in the orange box below) will temporarily unlock the domain so you can verify if it is indeed the domain that needs to be whitelisted. Clicking the ‘+’ (in the purple box below) will add the domain to the DNSBL whitelist.

pfBlockerNG DNSBL report

When clicking the ‘+’ you will then receive a prompt about whether you want to perform a wildcard whitelist or just a whitelist. Read the explanation, but I typically use whitelist because it is more exact and less prone to letting something past. I would also suggest adding a description so you know what was broken and/or why you fixed it, i.e. today it makes perfect sense, but it might not 6 months from now. In my years of IT/security, I’ve found documentation is as helpful for me as it is for someone else. Maybe I’m just getting old!

Adding domains to DNSBL whitelist

If you go back to the main DNSBL tab and expand the DNSBL Whitelist section toward the bottom, you should now see the domain you whitelisted. You might also notice that if the domain you are whitelisting has CNAME records, pfBlockerNG is smart enough to add those too as shown below.

DNSBL Whitelist entries

As you might have expected, you can also simply type each domain in on a separate line and then click ‘Save’ if you know which domains to whitelist. If you want the whitelist additions/changes to occur sooner rather than later, you will also need to go back to the ‘Update’ tab and click ‘Run.’ If you don’t want to do the trial and error on your own (and I *really* think you should), I have provided some whitelist recommendations below.

It’s also worth mentioning that if a system already resolved the domain name on your system and it is previously resolved to 10.10.10.1, then you may need to clear your local DNS cache, your browser cache, or both. To clear your machine’s cache, from a command line on Windows, type in ‘ipconfig /flushdns’ and that should take care of it. You can run a similar command on a Linux system, although the commands can vary from one installation to the next. More often than not, simply restarting your network interface will work; on most distributions, ‘service networking restart’ or ‘systemctl restart network’ should take care of it for you. Each browser has a slightly different way to clear the cache, however, all of them allow you to pull a new version of the website if you hold down “Shift” while clicking on the refresh/reload button.

If ads are not getting blocked and the ping commands above don’t return the virtual IP address, it’s also possible your local machine is not using pfSense for its DNS settings. If you are using Windows, check your network settings and make sure it is set to your pfSense IP address. On Linux/*nix, check your /etc/resolv.conf or even Network Manager (if using a GUI). If you are not using pfSense for your DHCP server, you may need to do some digging.

Although somewhat uncommon, keep in mind that some anti-virus packages and endpoint protection can mess with your DNS settings. Furthermore, those changes may not necessarily be reflected in your operating system’s DNS settings. For example, Avast Premier has a Secure DNS feature that will force your browser to use Avast specified DNS servers in an effort to prevent DNS hijacking. If you find that other devices on your network are blocking ads and one particular device doesn’t, then your anti-virus or endpoint protection very well may be the culprit. When all else fails, you can always fire up Wireshark for a packet capture to ensure your system is querying the DNS server(s) you specify.

Whitelist Recommendations

These are a few domains I’ve seen cause issues if they end up on the various DNSBLs. You can easily copy and paste them into the “custom list” as described above. If you have no plans to use some of them (based off their name alone), you can and should omit them from your whitelist. Do you have other recommendations beyond the ones I have listed? Let me know and I’ll add them!

s3.amazonaws.com
s3-1.amazonaws.com # CNAME for (s3.amazonaws.com)
.github.com
.githubusercontent.com 
github.map.fastly.net # CNAME for (raw.githubusercontent.com)
.apple.com 
.sourceforge.net
.fls-na.amazon.com # alexa
.control.kochava.com # alexa 2
.device-metrics-us-2.amazon.com # alexa 3
.amazon-adsystem.com # amazon app ads
.px.moatads.com # amazon app 2
.wildcard.moatads.com.edgekey.net # CNAME for (px.moatads.com)
.e13136.g.akamaiedge.net # CNAME for (px.moatads.com)
.secure-gl.imrworldwide.com # amazon app 3
.pixel.adsafeprotected.com # amazon app 4
.anycast.pixel.adsafeprotected.com # CNAME for (pixel.adsafeprotected.com)
.bs.serving-sys.com # amazon app 5
.bs.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com)
.bsla.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com)
.adsafeprotected.com # amazon app 6
.anycast.static.adsafeprotected.com # CNAME for (static.adsafeprotected.com)
google.com
www.google.com
youtube.com
www.youtube.com
youtube-ui.l.google.com # CNAME for (youtube.com)
stackoverflow.com
www.stackoverflow.com
dropbox.com
www.dropbox.com
www.dropbox-dns.com # CNAME for (dropbox.com)
.adsafeprotected.com
control.kochava.com
secure-gl.imrworldwide.com
pbs.twimg.com # twitter images
www.pbs.twimg.com # twitter images
cs196.wac.edgecastcdn.net # CNAME for (pbs.twimg.com)
cs2-wac.apr-8315.edgecastdns.net # CNAME for (pbs.twimg.com)
cs2-wac-us.8315.ecdns.net # CNAME for (pbs.twimg.com)
cs45.wac.edgecastcdn.net # CNAME for (pbs.twimg.com)

TLD Blacklisting

TLD (top-level domain) blacklisting is another option in DNSBL. Don’t forget you need to ‘Enable’ the TLD option at the top of the DNSBL configuration page to use the features discussed here. While I don’t normally advocate static blacklisting because the bad guys will simply move around it, TLD blacklisting is a rare instance where you can eliminate some potential attack vectors although its usefulness depends entirely on your situation. TLDs are the characters after the last dot on a domain name, e.g. com, net, and biz are some common ones. The number of TLDs has skyrocketed and there were well over 1,500 in early 2017! Over time, some TLDs have become wastelands for nefarious activity such as command and control servers. If you no plans to connect with a particular TLD and it has shown to be less than reputable, i.e. most sane companies wouldn’t bother trying to use it, you can just go to the main DNSBL tab and block it outright using the section below.

DNSBL TLD Blacklist

Even Brian Krebs got in on talking about the how some TLDs are used extensively for typosquatting — Omitting the “o” in .com Could Be Costly. If you don’t want to read the full article, just understand that instead of typing in remax[dot]com, a user mistakenly types in remax[dot]cm and is directed to a malicious site. There are similar alternative .cm domains for ESPN, Hulu, iTunes, Aetna, AOL, Chase, Facebook, WalMart, etc. and over 1000 others. Needless to say, the .cm TLD is not good.

If you’re looking for a little more guidance of what is ‘bad’ then look no further than Spamhaus and the website link below. Our friend Brian Krebs wrote a great article about the badness of TLDs as well. Spamhaus is constantly updating this list and related statistics so check it directly for the most up-to-date information. At the link below, you’ll also find a dropdown to show you the ‘badness’ of every TLD even beyond the top 10 list. At the very least, I would suggest adding the top 3 TLDs in the green box below along with the .cm TLD from the Krebs article. Adding the entire top 10 would likely not cause too many issues, although keep in mind that you will see false positives. For example, note that #8 in the list below is .biz, which is used by legitimate businesses. I’ve added a textual version of the TLD list below the image so you can easily copy/paste it into your firewall.

https://www.spamhaus.org/statistics/tlds/

Spamhaus most abused TLDs

cm
party
click
link
technology
gdn
study
men
biz
reise
stream

DNS blocking

DNS blacklists are great, but what if a new ransomware botnet pops up, a user gets infected fairly early in the campaign, and it starts calling previously unknown domains? If your DNSBL feeds are set to update every 4 hours and it takes time for them to get included on that list to begin with, it might take awhile before your DNS catches and blocks it. We need something more real-time… To provide another layer of protection, I would also recommend using Quad9 as your primary DNS on pfSense. I wrote up an article some time ago about how to do just that.

Configuring Quad9 on pfSense

Browser side blocking – Ublock Origin

I constantly preach defense-in-depth and this is no different. You could have every malicious advertising domain on the planet included in your configuration, but a new one will inevitably pop-up 5 minutes from now. Aside from some other defenses, I would also strongly suggest using uBlock Origin on all of your browsers. uBlock Origin exists for Chrome, Firefox, etc. so there really isn’t a reason not to have it! While nothing is foolproof, it is another fantastic addition to your overall security.

uBlock Origin

Using pfSense as an OpenVPN client

Note the underlined client in the previous headline. This change does not apply to you if you use pfSense as an OpenVPN server, but rather when you use it as an OpenVPN client. In these handful of instances, users are redirecting all of their traffic to a VPN service such as Private Internet Access (PIA) or ExpressVPN. In this scenario, users reported back that their DNS was leaking after configuring the solution above.

You can handle this a number of ways. One possible solution would be use to DNS over TLS as described in Configuring Quad9 on pfSense. Another option is to go to Services -> DNS Resolver and switch the outgoing network interface to LAN only instead of all (shown below). As always, don’t forget to click ‘Save’ after making your changes.

Leaking DNS fix

Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.

69 thoughts on “Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)

    1. Did you add the whitelist recommendations? I am able to access Dropbox without issue. If whitelisting doesn’t work, you can also remove the offending list; simply go to the Reports -> Alerts, find the feed with the Dropbox related domains, and then go back to your feeds to remove it. Don’t forget to force reload after you removing it. You will also probably need to flush your local DNS and/or browser cache too. These items are explained in the troubleshooting/whitelisting section if you need further guidance. Good luck!

  1. great guide! It’s the first time I’ve felt confident in my pfblockerng configuration, so thanks!

    One thing, though, I’m having issues updating D_Me_Malw & D_Me_Tracking – is this common? It looks like yours was working just fine….

    1. Russell, thanks for the feedback! It looks like S3 was added to one of the blacklists, which in turn caused those feed downloads to fail (they are hosted at s3.amazonaws.com). Look at your DNSBL alerts (Reports -> Alerts -> DNSBL heading) and then whitelist one of the alerts that say s3.amazonaws.com. Go back to Update and Force/Run and you should see the download goes through without issue for those feeds. Can you verify if you used the whitelist from the guide? I’m just curious if I need to add other hosts to it. Thanks!

  2. I used the pihole for some time and fiddled with the pfsense dnsbl time and again. Before discovering that there was a -devel update to pfblockerng I tested the tld blacklist.

    Now you see this is extremely important and it must function like the whitelist. In the older version there was a custom whitelist feature but only the tld blacklist. That bugs me to no end. Blacklisting individual sites is extremely important. I find ad serving sites that get by the blocklists all the time (or just sites that I never want to visit). Without a site blacklist I would not use the tool. I can’t understand why the author doesn’t provide a feature to blacklist sites on the same page or in the same area as the whitelist. It is perplexing.

    So I decided to search for a definition of tld blacklisting. I found someone’s answer that indicated that the tld blacklist operated like the custom whitelisting without the use of wild cards. So I tried it by putting the whole sitename in the tld blacklisting box. That worked.

    A few days later I saw this post and decided to upgrade. I immediately worried that the tld blacklist feature would be broken. To my surprise it did not fail me. It worked. I did not tick the tld option on the page as you specified.

    So, that’s good news yet I’m fearful that since this feature is so poorly documented that he might sneak Nerf it when I’m least looking. Let’s hope not because site blacklisting here is important. And I mean “here” on this page. I am aware of domain overrides. I don’t want to jump around to all over just to do what should be done where everything else blacklisting and whitelisting related is done.

    1. The TLD whitelist is only used in conjunction with the TLD whitelist and the author specifies this several times in the various infobox descriptions. That said, I’m a little confused about the TLD blacklist/whitelist working without the TLD option. I tested this extensively myself (and double/triple-checked as I was writing this walkthrough) and disabling TLD caused the TLD blacklist/whitelist to quit working every time.
      FWIW, if you want to block individual sites, you can do this without any feeds… Simply go to DNSBL -> DNSBL Feeds and then click Add. You can then name it “custom_blacklist” (or whatever you want), leave DNSBL source blank/off, select action as unbound, and then then add your domains to the “DNSBL Custom_List” at the bottom. Either way, hopefully this helps!

  3. I’m running pfBlockerNG 2.2.1 and even with youtube.com and http://www.youtube.com whitelisted, YouTube was not working. I identified H3X, specifically H3X_1M, was blocking it. For now, disabling that list allowed YouTube to start working again. Have you experienced something like this?

    1. I use that particular feed in all of my installs as well. I have youtube.com and http://www.youtube.com added to my whitelists because they do end up on feeds from time-to-time. It appears an additional CNAME is added when whitelisted so you might verify it is present in your whitelist. FWIW, it seems like I was in the alerts -> reports a fair amount when I originally configured DNSBL. Over time, this lessened to the point I honestly don’t know the last time I had to whitelist a domain. Hope this helps!

  4. how to go to blocked youtube.com site, I have added to whitelist list, but still to blocked. And what processes make youtube blocked.

  5. okay, thanks, I try to enter in whitelist, youtube site can open.
    i have 2 questions
    1. To block facebook can use pfblocker, I tried to put into list TLD Blacklist / Whitelist, still can not
    2. to block mobile applications like youtube and facebook. whether to use pfblocker. Maybe it could give clues or something else.
    3. if i use m.youtube.com, can still opened

    1. To block Facebook, this is what I’ve done in the past. Go to pfBlockerNG -> DNSBL -> DNSBL Feeds and click add. Use this github repo for the source – https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all. From there, type in something for the name and header, switch the state to on, and then switch action to unbound. It works extremely well. I haven’t tried finding/creating a YouTube blocklist, but it could be accomplished via the same means. Good luck!

      1. I can block facebook and other social media through TLD. I will try the list you give, thank you.

        Do you know how to create a schedule to open a blocked one at a certain time in pfblocker?

        1. Instead of using TLD, I would stick with the blocklist as previously suggested. Once your rules/aliases are created, you could modify the alias so it didn’t have “pfB_” at the beginning, which means future pfBlockerNG changes should leave it unchanged. You could then add a schedule (Firewall -> Schedule) and apply it to the associated rule.

        1. Did you perform an update once the list was added? Is the list now showing in your feeds? Last but not least, have you tested via the command line using ping or nslookup to verify the virtual IP is returned instead of the actual IP?

  6. i will try disable and enable pfblocker..
    after that I check in the (Firewallpf->BlockerNG->Alerts) reports tab menu
    on DNSBL alerts there is no red key and ‘+’ .. what caused it… just blank

    1. Are you sure you are looking at the DNSBL section and not the IP section on the alerts page? The DNSBL entries should show the + and lock regardless. The IP entries only show the + and lock if you have suppression enabled on the IP tab.

      1. it turns out that DNSBL has not been perfectly synchronized, therefore my RAM is overloaded and red button and sign ‘+’ does not exist

    1. It sounds like those 2 sites are getting redirected because they are on a feed/list and causing the SSL cert error. Did you force update, flush your DNS cache, and then clear your browser cache after adding them to the whitelist? If that doesn’t work, then there might be something going on with your whitelist. You could always simply find the offending feed via reports -> alerts and then remove it from the corresponding DNSBL feed. Hope this helps!

  7. Hi,
    I just found your site looking for information on PFSENSE, PFBLOCKERNG, and PIHOLE.
    Your guides on both of those is excellent. I have been using PIHOLE for a year and a half now and I am very happy with it. However, I would like to ask if you can provide some advice on a situation I have been having recently.

    My network consists of the following – Modem, PFSENSE box, PIHOLE, WINDOWS AD DC/DNS, Windows Server FP DNS, and Clients. I originally started with the PFSENSE box doing the DHCP service and setting the PIHOLE as the DNS server for all the clients under DHCP in PFSENSE. The PIHOLE was forwarded to the Windows AD/DNS and the Windows AD/DNS would be forwarded to the PFSENSE box via the forwarders tab. This worked well.

    I decided to sign up for a VPN service. I configured the OPENVPN client, downloaded the client configuration file(s) from the provider and set it up in PFSENSE. I created aliases as I only want a couple of devices to go out the VPN connection. I have all my clients setup in statics IP’s on the DHCP server (PFSENSE). I have unbound enabled on PFSENSE and the forwarder option checked, under DNS General, I have a couple of DNS entries, OPENDNS and Google.
    I checked many but the one that helped a lot was this one:
    https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
    For DNS leak prevention, I went with method 1 as the second one I could not get it to work. The DNS leaked. So having set this up with method one, the clients that are supposed to be behind the VPN all work no problem but the clients that use the regular WAN connection, use the same VPN DNS. When the VPN goes down, sometimes all the clients loose internet connection.

    So I started searching and asking on forums and I was given advice that it’s best to have the Windows AD/DNS set as the DNS for the clients, then on the Windows DNS under the forwarders tab, set the PIHOLE and on the PIHOLE set the OPEN DNS, Google, or the VPN DNS, whatever. I switched my configuration to this now. I disabled the DHCP from PFSENSE and installed it on the Windows FP/DNS mentioned above. However, this also leaks the DNS for the two VPN devices. On the PIHOLE, if I remove those DNS entries (google, opendns, etc) and I set the PFSENSE, then there is no more DNS leak, however, I am back to square one. The none VPN clients use the VPN DNS.

    So now, I started re-searching again and a lot of people suggest that maybe giving PFBLOCKERNG a try might do the trick. This is how I ran into your guide and I would like to give it a try but I think my set up the way I have my network and the way I want it to work, makes it a bit hard to configure. I am missing something somewhere, I just cannot figure it out what it is. It’s frustrating but I don’t give up easily. If you can provide any advice, I’d really appreciate it. If you need any more info, let me know.

    Thanks very much and apologies for the long message.
    Guicho.

    1. Guicho, sorry I’m just getting back to you. You have quite a bit going on — Windows AD, VPN, and split gateways — and it will take a bit of playing around to get it to work properly. First, I would remove the pi-hole from the setup as you suggested. I love pi-hole, but it is redundant in this scenario. Second, I would disable DHCP on pfSense and have the clients use both DHCP and DNS from the Windows server, which is recommended for AD environments anyway. I would then point my domain controller to the pfSense for the forwarding DNS. This would allow your clients to benefit from pfBlockerNG. Now here is the issue… All of your DNS traffic at this point will go through your standard gateway and the firewall isn’t going to be able to differentiate because all traffic is *originating* from the Windows DC. At this point, the only way to get around this would be to change the DNS entries on individual DHCP static leases, which would then break your AD environment. If those systems don’t need to be on AD, then go that route. Worth mentioning is to remember to not *mix* DNS servers, i.e. don’t have an AD DNS server, OpenDNS, or pfSense in the same client config. DNS servers are not queried in order so you will end up with something working one minute and then not the next. What I would suggest doing instead if you need those systems on AD is to encrypt all your DNS traffic via DNS over TLS and not worry about which gateway DNS traffic goes out. I discuss how to do this in this article, https://www.linuxincluded.com/configuring-quad9-on-pfsense/ for Quad9, although a similar config would work for Cloudflare or any other DNS provider that supports DNS over TLS. Hopefully that helps and best of luck!

  8. hello, thank you for the guide. i have a question, when pinging site with cmd. i don’t get the 10.10.10.1 like in the picture. i think i am getting the site ip instead. this is on a fresh pfsense 2.4.3 with pfblocker devel 2.2.1. not sure if i miss a step or that is normal. can you shed light on this?

    1. If you’re getting the actual IP of the site, then either a) that site is in your local DNS cache, b) your Windows settings are not quite right, c) DNSBL is not started/enabled, or d) you don’t have DNSBL feeds enabled. From the command line, take a look at ‘ipconfig /all’ for your primary ethernet adapter. Make sure your firewall IP is both the gateway and DNS server. You can also double-check whether DNSBL is working via nslookup and then typing ‘server ‘ followed by various hostnames (from the feeds) you want to test. Hopefully that helps! If not, give me a holler back.

  9. Great write-up. Coming from DDWRT, I needed a good walkthrough like this to get me going. Easy to follow and just works unlike a lot of other tutorials I’m reading on the pfSense packages.
    Thanks!

  10. I haven’t read an article so detailed and easy to understand that this one! I just put together a new firewall hardware (Xeon processor and 8G RAM) and one of the things I really use is pfBlocker.
    This, by far, is the best set of instructions ever.
    Easy to follow and well explained.
    I appreciate your effort on putting this together.
    Keep up!

  11. Hello @Dallas Haselhorst.
    I do not know where I did wrong. But my ping results on windows still returns true IP of the server. If I ping on pFsense then it returns true 10.10.10.1. I have removed google’s DNS and open DNS on the DHCP server. I also assign a static IP to the computer and set the DNS on the pFsense’s IP LAN. But it seems that things are not working as I expected.

    1. If you have pfSense responding correctly you are definitely on the right track! The most likely culprit is the local system DNS, which you already corrected to some degree with a static IP and static DNS. My guess is that your local system still has/had the DNS entry in its cache. If you are using Windows, type in ‘ipconfig /flushdns’ (minus the quotes) to clear it. You should see ‘Successfully flushed the DNS Resolver Cache’ on modern versions of Windows.

      FWIW, the static IP and static DNS aren’t necessary on the individual machine if you are using DHCP. Simply go to Services -> DHCP Server to change the DNS server assigned to your DHCP clients. You can either specify the DNS or leave it blank to use the pfSense DNS resolver unbound. To verify this setting is correct, you can run ‘ipconfig /all’ from the command line and look for the line that states ‘DNS Servers.’

      Also, you were correct in removing your other DNS entries. DNS is a little funny because it doesn’t react as you might expect — primary server, then secondary server, etc. I’ve discussed this before on other posts such as the Configuring Quad9 on pfSense post, https://www.linuxincluded.com/configuring-quad9-on-pfsense/. Read the red text on that page and it will describe this issue. Assigning “different” vendor DNS works the same at both the client and firewall level, i.e. the DNS servers are *not* queried in order.

      1. Yes. I did all the work you said above. Everything works OK. Just on my computer it does not work as expected. There are all ads of google it blocked very well, other advertisers almost no. I tried adding the host addresses of other advertisers to a host file but it still does not work. Although all the telephone or TV equipment inside my LAN works well.
        The file host that I added it can block the majority of advertisers, analyzing the world here: hxxps://ketnoidamme.vn/downloads/hosts.txt

        1. If it’s blocking Google ads I would think it is working. If I ever think something isn’t working quite right, I select a handful of hostnames from the feeds and test them from the command line to ensure they return the pfBlockerNG virtual IP. Also, keep in mind that some sites now utilize “same origin” so you won’t block them.
          Last but not least, is it possible an application is using a different DNS. You might also try a Wireshark capture to determine if something is directly querying a different DNS server. For example, if you using Firefox 62, it has DNS over HTTPS support which means it could bypass your local DNS server. It’s an absolute shot in the dark, but Wireshark is a must when something isn’t going quite right. Good luck!

          1. Thank you for all that you have shared. Perhaps I have found something that has interfered with the DNS system on my computer. This is due to Avast’s “Real Site” DNS Custom feature of Avast Premier that I have installed. It has interfered with the DNS on my browsers. Except for Internet Explorer, it has been tested to have discovered this interesting thing.

            I want to contribute a share on the VPN Client section.
            In this case, you need to activate the DNS Server enable feature and enter the local IP address. Then on the VPN client will work.

          2. I wasn’t familiar with Avast Secure DNS, but after reading about it that makes sense. I did have a one line statement about how some anti-virus packages can mess with DNS configuration settings, but I’ll expand on that a bit and mention Avast as an example. Happy to hear you figured it out!

  12. Your guide is just what I needed. Had to delete my old version and start from scratch to get it working. I have a few question however.
    1) My windows computer is blocking adds on yahoo.com fine but my macbook pro is not. I’ve check the DNS setting and it is the IP of my PFSense firewall and have cleared the DNS cache without success. Any ideas?
    2) Do you do any geoblocking in PFBlockerNG, for example china and russia? If so do you have recommendations?

    1. Hey Warren! Thanks for the feedback!
      1) Since other systems are working properly and you verified the settings are correct, my next check would be some software on that particular system, e.g. VPN, anti-virus, etc. I would also test from the command line and see if those results are different than your browser results. If you can’t seem to find anything, fire up Wireshark and determine where the queries are going.
      2) I don’t use geoblocking because I occasionally access sites around the world. Geoblocking is a fantastic addition *if* you know your environment extremely well and you know where your traffic goes. The few times I used it, I would block the usual suspects but I would also watch my logs to see where activity came from. For example, if I saw an increase in activity (WAN block) from France and I knew I wasn’t going to access anything in France, I would add it to my geoblock list. If I saw an increase in activity from Morocco, I would add them, etc. I used to do this by hand, but keep in mind that the new version of pfBlockerNG has the IP Block Stats by Country graph via pfBlockerNG -> Reports -> IP Block Stats to help you. I always found geoblocking ridiculously difficult to troubleshoot which is the reason I only use it in fringe cases at this point and instead opt for “stacking” block lists.

  13. Thanks Dallas, i was reinstating a/my pfsense router and was automatically working towards the ‘old’ version. This is so much easier, your howto but mostly the awesome updates by BBcan177. Loading the updates atm, looking forward to debugging the lists 😉

    1. So happy you were able to use the guide! It’s impossible to overstate the work by BBcan177. pfBlockerNG has went from a country block list to the must have pfSense package (both DNSBL and IP blocking). I refuse to run a pfSense firewall without pfBlockerNG. 😉

  14. Just got into pfSense last week with a purchase of a new XG-7100U and I love it. Thank you for this post I listened to your advice – first thing I did after logging in. I also configured QUAD9 as you suggested. ALMOST all is working perfectly. Only thing is with TLD Blacklisting/Whitelisting. I used the ten TLDs from your post – and cm – but I DO go to one .biz site. The Blacklisting works perfectly. My problem is when I enter cigarplace.biz and/or cigarplace.biz/185.11.187.115 into my Whitelist – I still get blocked. I have repeatedly cleared my Safari cache and used the Mac OS X command “sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache” to clear local cache. I can leave biz out of my Blacklist but just bugs me I can’t get it to work. Thanks again!

    1. Awesome! So happy you are making progress! Here are a few things to look at and/or try… First, did you also enable IP blocking? If you did, make sure the IP for the site is not getting blocked. Second, I recommend checking via the command line. There are just too many variables at the browser level — browser cache, possible endpoint protection issues, etc. Third, do you know if the site is aliased? For example, is a whitelist entry required for both www and the main site? Sometimes scripts or external calls are made on sites and those are a source of problems as well. Finally, have you tried the exclusion feature? Give all of that a shot and then see if the site is still showing in the reports/alerts section. Keep an eye on that as it can often give you some insights as well. I’d be happy to hear what you figure out and include it in the guide if it is relevant!

  15. Hi Dallas,
    Thank you for this interesting tutorial.
    I was not able to finish the complete procedure because I don’t have an option you apparently have on your side. In the DNSBL feeds page, the Unbound action is not an available option. I have several other ones but not “Unbound”.
    Could you tell me what am I doing wrong?
    Thank you for your feedback.

    1. Hey Denis! If unbound is a missing option, you are either not using the pfSense DNS or you have a different pfSense-based DNS server enabled. To correct this, first disable your other DNS server (since both can’t listen on UDP port 53) if you have one and then enable Unbound via Services -> DNS Resolver. I have the appropriate settings for this and others on the Quad9 pfSense guide (link below). FWIW, you don’t need to use Quad9, but I would recommend it. 😉
      https://www.linuxincluded.com/configuring-quad9-on-pfsense/

    1. Hey Daniel! There are honestly too many for me to list here. However, my selection method is pretty straightforward. I use the following DNSBL feed groups: ADs, Malicious, hpHosts, BBcan177, BBC, and Cryptojackers. I don’t use any paid feeds (arrow with exit door icon) in those selections. Last but not least, I also still add the Firehol3 list as a user defined feed although it is mostly redundant to the other feeds. If I ran a web or email server, I would also suggest the phishing group. Hope this helps!

  16. Upgraded pfSense to 2.4.4 today, upgraded to pfBlockerNG-devel, reconfigured the blocklists per your previous guide, configured DNSBL with this guide and switched pfSense DNS servers to Quad9. Seems to be firing on all cylinders. Snort working great too. All of this really makes for a wonderful browsing experience and peace of mind. I still have not dealt with the kids infections on their computers. All kinds of hits coming from the LAN/OPT1 side. Maybe after dinner. Thanks again Mr. Haselhorst!

  17. Very good Article. I saw BBcan107 link it on Reddit. I’ll bookmark this if anyone I know needs help setting this up. I have never had an issue using pfblocker and was surprised to see you using many of the lists that I use. I did use some of your whitelist entries! Thanks

  18. This is a fantastic guide. Bookmarked!

    I am a bit confused about the utility of having this and something like suricata running together. Is it as simple as suricata blocks incoming threats and this filters outgoing traffic? I noticed someone mentioned they were using this with snort without a problem. I was using suricata and the old pfblockerng. Had a few problems so wiped my pfsense box clean and started with a fresh 2.4.4 install yesterday. Now pfblockerng is up using this guide, I’d like to move on to getting suricata done ( but not sure if its that necessary). Thoughts? Any btw, do you have a guide for suricata? Just checking because you do it well!!

    1. Hey Victor! Thanks for the feedback! Unfortunately I don’t have a guide on Suricata, but I’ll add it to my list of potential future guides!
      As you know, Snort and Suricata are extremely similar as they are both IDS/IPS. I’ve played around with Suricata, but I mostly use Snort so that’s what I’ll reference to answer your question. I personally run pfBlockerNG (both DNSBL & IP blocker) as well as Snort… with a caveat. DNSBL and an IDS/IPS serve very different functions IMO and I would have no concerns running both of them concurrently. What I did find is that IP blocker (also part of pfBlockerNG) does overlap with IDS/IPS a fair amount. In fact, if you have an IDS/IPS on your WAN you’ll likely find that IP blocker handles about 99.9% of the internet cruft. In addition, for the purpose of speed/processing, packets are sent to the firewall rules (what IP blocker adds) and Snort simultaneously resulting in alerts from each of them. To my knowledge, Suricata processes the same way. As such, I’ve disabled Snort on my WAN side and instead, I have Snort running on my internal interfaces such as LAN and I’ve pared back my rulesets quite a bit. If you have numerous open ports on the WAN, I would leave the IDS/IPS enabled and only use rules specific to those open ports.
      It was written for the older version of pfBlockerNG, however, I’ve included my guide on configuring IP blocker below. I would highly recommend going through it and getting it configured in addition to DNSBL.
      https://www.linuxincluded.com/using-pfblockerng-on-pfsense/

      1. You hit the nail on the head in regards to potential redundancies between IP Blocker and the IDS/IPS system – hence my question if an IDS/IPS is necessary if I have IP blocker going ( I don’t as of now). Will check out your guide. Thanks!

  19. Hi Dallas
    Thank you for writing such an informative and easy to follow article.
    I have read it over and over again and followed every step to install on my pfsense 2.4.4
    However, when I open a cmd box and type ping 302br.net, i get
    Reply from 69.172.216.56: bytes=32 time=331ms TTL=50
    instead of a reply from 192.168.57.1 (the virtual ip address i have entered)
    Are you able to suggest where things may have gone wrong
    Best Regards
    Tony

    1. Tony, do other blocked domains return the virtual IP? If so, that would at least tell you that your firewall config is correct. Since you didn’t specify, here are a few items to look at. Is the virtual IP you assigned within your network scope? I don’t know if is part of the issue or not, but the default, 10.10.10.1, is simply created as an alias for the network adapter. The only time I *don’t* use 10.10.10.1 is if I’m working on a 10.0.0.0/8 network. Check the DNS resolver on your pfSense to see if “server:include: /var/unbound/pfb_dnsbl.*conf” is in the custom options. Do you have other devices on your network that you can test? If not and you are familiar with Linux, you might download a live CD and boot it from VMware Player or VirtualBox to see if a different system works. I’ve had multiple readers report back that their endpoint protection was interfering with their pfBlockerNG config. You could also do a packet capture using Wireshark to see if your system is making DNS queries to the firewall or somewhere else. A packet capture in pfSense would accomplish the same thing. Good luck! And please report back what you find. 😉

      1. Hi again Dallas,
        Thankyou once again for taking the time to answer me 🙂
        When you mentioned, other blocked domains – I thought which ones, how do i know of a blocked domain? I have only enabled ADs and Malicious categories.
        I am using 10.x.x.x for my home network, so I have used 192.168.x.x for the virtual ip. The DNS resolver on pfsense does have “server:include: /var/… etc in the custom option, so that’s ok
        I have followed the article [I removed the link due to inaccuracies] to use 1.1.1.1 as DNS servers and on the dashboard i see 127.0.0.1 listed first, then 1.1.1.1 and 1.0.0.1 as the DNS servers. When I configured as the article suggests, I placed a tick at DNS Server Override (don’t know if that is causing the trouble)
        When I do a ipconfig /all on my windows computer I see
        Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix . : myhome.lan
        Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IPv4 Address. . . . . . . . . . . : 10.1.57.20(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Lease Obtained. . . . . . . . . . : Tuesday, 16 October 2018 6:32:20 PM
        Lease Expires . . . . . . . . . . : Tuesday, 16 October 2018 9:32:20 PM
        Default Gateway . . . . . . . . . : 10.1.57.1
        DHCP Server . . . . . . . . . . . : 10.1.57.1
        DHCPv6 IAID . . . . . . . . . . . : 244637312
        DNS Servers . . . . . . . . . . . : 1.1.1.1
        1.0.0.1
        NetBIOS over Tcpip. . . . . . . . : Enabled
        So does that mean pfsense box is not used for resolving DNS?
        I’ve not used wireshark before so I will download and work out how to use it and report back

        Hope the above gives you some clue as to what is happening

        Best Regards
        Tony

        1. Hey Tony! Yes, your DHCP server is handing out the Cloudflare DNS to the clients directly, which isn’t necessary and won’t work for what you are trying to do. Go to Services -> DHCP Server and remove whatever you have in the DNS Servers section (steps 4 and 5 from the guide you referenced). While you are there, note the comment at the bottom “Leave blank to use the system default DNS servers: this interface’s IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.” Basically, we want the pfSense to act as the resolver and if we didn’t add those servers into the DHCP config, it would have done that by default. 😉 After you have removed those, perform an ‘ipconfig /release’ and ‘ipconfig /renew’ from the command line and make sure your DNS server is now 10.1.57.1 as well. You can then test it out again via the browser or via the command line. You’re almost there! Holler if you need anything else!

          P.S. You actually could have left the default pfBlockerNG virtual IP after all since it would fallen outside of your network range, i.e. your /24 network is 10.1.57.X. If you used a /8 network (10.X.X.X) instead then that would not have been the case.

          1. Hi Dallas

            Thank you very much for your comment and advise.
            Yes it worked after removing the 1.1.1.1 and 1.0.0.1
            But how do I know pfsense is using those DNS servers and not my local ISP DNS server to resolve DNS requests?

          2. Sweet! The easiest way is to perform a packet capture on your WAN interface. If you are *not* doing DNS over TLS, you can simply go to Diagnostics -> Packet Capture, select protocol UDP, port 53, and start a capture. If you’re using DNS over TLS, that traffic occurs over TCP 853 instead so adjust accordingly. You could download the capture for analysis in Wireshark, but you should be able to see what’s going on in the capture window once you stop the capture. Below is my traffic out to Google DNS, which I use as part of my Nagios monitoring. Also, keep in mind that some devices may have hard-coded DNS entries… Google devices are notorious for this. If this annoys you (as it does me), you can add an outbound firewall rule that re-directs all DNS traffic to your firewall instead.
            19:09:58.419352 IP [MyIP].63611 > 8.8.8.8.53: UDP, length 37
            19:09:58.447900 IP 8.8.8.8.53 > [MyIP].63611: UDP, length 107

Leave a Reply

Your email address will not be published.