Some time ago I setup my pfSense DNSBL, and I wanted to share my configuration and results.
A DNSBL is a list of domains that the application/network does not properly resolve, hence the “black-hole”.
Originally, DNSBLs prevented spam e-mails from reaching users.
In this case, I wanted to block as many ads, malvertising, etc. as possible.
YouTube Version of this Post
If you prefer a video over reading the text, then you can find the YouTube version of this post below.
That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!
pfSense DNSBL – pfBlockerNG
To start, I installed the pfBlockerNG package by going to System -> Package Manager -> Available Packages. To quote their description, “pfBlockerNG is the Next Generation of pfBlocker. Manage IPv4/v6 List Sources into ‘Deny, Permit or Match’ formats.”
Once I installed the plugin, I was able to configure it by going to Firewall -> pfBlockerNG.
I enabled the blocker, told the settings to persist, and set the CRON job to run every 3 hours.
After I enabled the blocker, I clicked on DNSBL to configure my block list.
I enabled DNSBL, set my Virtual IP to 10.10.10.1, and kept my listening ports and interface default.
With the basic settings in place, it was time to set up my actual block list!
Selecting the DNSBL Feeds menu option and clicking “Add” allowed me to create a new DNS Group with any number of block list feeds.
I started with a number of lists from the Pi-hole ad block list.
NOTE: Do not put a link to the Pi-hole ad block list directly, but rather to each individual entry. If you do this (trust me, I did at first), then you will only block your access to the actual block list feeds in question. To fix this you will need to remove the block, clear the feeds, clear the caches, and possibly restart your router.
Once I had my feeds selected, I added them to my new DNS Group.
To test my feeds, I tried to visit an advertising site directly, and the router blocked my DNS request!
As a bonus, I also setup ntopng for some basic visualization.
Per their package description, “ntopng (replaces ntop) is a network probe that shows network usage in a way similar to what top does for processes.”
Once I installed the package, I was able to configure it by going to Diagnostics -> ntopng Settings.
I enabled the plugin, told my settings to persist, changed the default admin password, and configured it for my LAN.
After the plugin was running, I logged in and took a look at my Talkers flow.
This was pretty neat to watch, but not anything that I see myself using for now.
Additionally, the interface chart was cool to see how much bandwidth my network was using, and when.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.