pfSense DNSBL – No more ads for me!

Some time ago I setup my pfSense DNSBL, and I wanted to share my configuration and results.

A DNSBL is a list of domains that the application/network does not properly resolve, hence the "black-hole".

Originally, DNSBLs prevented spam e-mails from reaching users.

In this case, I wanted to block as many ads, malvertising, etc. as possible.

pfSense DNSBL - pfBlockerNG

To start, I installed the pfBlockerNG package by going to System -> Package Manager -> Available Packages. To quote their description, "pfBlockerNG is the Next Generation of pfBlocker. Manage IPv4/v6 List Sources into 'Deny, Permit or Match' formats."

Once I installed the plugin, I was able to configure it by going to Firewall -> pfBlockerNG.

I enabled the blocker, told the settings to persist, and set the CRON job to run every 3 hours.

pfSense DNSBL - pfBlockerNG

After I enabled the blocker, I clicked on DNSBL to configure my block list.

I enabled DNSBL, set my Virtual IP to 10.10.10.1, and kept my listening ports and interface default.

pfSense DNSBL - DNSBL

With the basic settings in place, it was time to set up my actual block list!

Selecting the DNSBL Feeds menu option and clicking "Add" allowed me to create a new DNS Group with any number of block list feeds.

I started with a number of lists from the Pi-hole ad block list.

NOTE: Do not put a link to the Pi-hole ad block list directly, but rather to each individual entry. If you do this (trust me, I did at first), then you will only block your access to the actual block list feeds in question. To fix this you will need to remove the block, clear the feeds, clear the caches, and possibly restart your router.

Once I had my feeds selected, I added them to my new DNS Group.

pfSense DNSBL - Feeds

To test my feeds, I tried to visit advertising site directly, and the router blocked my DNS request!

pfSense DNSBL - Ad Blocked

ntopng

As a bonus, I also setup ntopng for some basic visualization.

Per their package description, "ntopng (replaces ntop) is a network probe that shows network usage in a way similar to what top does for processes."

Once I installed the package, I was able to configure it by going to Diagnostics -> ntopng Settings.

I enabled the plugin, told my settings to persist, changed the default admin password, and configured it for my LAN.

pfSense DNSBL - ntopng

After the plugin was running, I logged in and took a look at my Talkers flow.

pfSense DNSBL - ntopng Login

pfSense DNSBL - ntopng Talkers

This was pretty neat to watch, but not anything that I see myself using for now.

Additionally, the interface chart was cool to see how much bandwidth my network was using, and when.

pfSense DNSBL - ntopng traffic

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

41 Comments

Filed under Security Not Included

41 Responses to pfSense DNSBL – No more ads for me!

  1. Chrisg

    Hey Doyler, great post. Will have to check this out. Your PFSense is deployed at home? If so, is your hardware a PC or did you actually purchase the PFSense firewall?

  2. Peter

    Stupid question but did you have to point your internal systems to the pfsense box as it’s DNS resolver? Do you need change your DNSBL from “disabled” to “unbound”? Do I need to enable and configure unbound as a forwarder or resolver of some sort?

    • Not stupid, and glad to help. Since pfSense was already my router and providing DHCP, my internal systems were already pointing to it for DNS resolution. That said, I do have DNS resolver (not Forwarder) enabled so that it can actually perform the resolution and use the DNSBL. You will need to enable and configure Unbound (this is just the name of DNS Resolver in Services -> DNS Resolver). Most of my settings are default though, so it isn’t much extra work.

  3. josh

    hi mate im wondering if you could help me cant seem to get it to block anything
    is there any chance you could add me on skype joshhopey would be great if you could

  4. Joel

    Hey Doyler, great write up! I’m new to pfSense so I’m a bit confused. I have Google set as my DNS Server. Should I leave that blank for my ads to be blocked or can I still use 8.8.8.8 and my ads will be blocked on my mobile devices?

    • Hi Joel,

      Thanks, and glad to help! You will need to use the DHCP provided DNS server (your pfSense box – 192.168.1.1) on all of your internal devices.

      Then, if you want to continue to use Google as your outbound DNS server, then you can set that under System -> General Setup

  5. Heads up, pfblocker now supports domain blacklists for web filtering purposes, including support for Squidblacklist.org subscribers.

    We are a subscription based service, gotta pay the bills, but we do have some free stuff for the community as well, so come on over and check it out.

  6. edward oo

    How can I just deploy on Vultr vps
    I gonna use vpn service to block
    Is it posibble?

    Thanks

    • While you could deploy your own DNS server on Vultr, it defeats the point by then.

      First, you should only really be using a VPN service when you have to.

      That said, VPN isn’t really for ad blocking in particular, so it depends on what you’re hoping to achieve. If you do setup your own VPN service, you could setup a DNSBL of your own though.

  7. Bhaskar

    Hi There. Just got my first pfSense device today – a HP thinclient pre-loaded with pfSense 2.3.3. Super excited. Followed your instructions, DNSBL enabled, DNSBL Feeds contain a Group I created with most of the feeds you have shown. However, once enabled, (Update & Cron ran), upon testing with ‘usemax.de’, I’m not seeing it being blocked. Able to reach it just fine. What am I missing?

    • Awesome, great to hear! Hmm, there are a few possibilities. First, are you sure that that site is on one of the feeds you selected? If not, try to select a different URL that you know is on the list. Other than that, are you using your pfSense box as a DNS resolver for your client, or still hitting your ISP/Google directly?

  8. Aidan Murphy

    Hi doyler great guide, i was wondering if you know how to white list a site when using DNSBL I am able to white list stuff when just using pfblockerng but not when using the lists with DNSBL any help with this would be great.

    I must say it again GREAT guide!!

    • Hi Aidan,

      I’m glad you enjoyed the guide, and happy it helped!

      Great question, and I’ve run into that issue plenty. If you go to Firewall -> pfBlockerNG -> DNSBL you will be on the right page.

      From there, go down to “Custom Domain Whitelist” and add your sites. Note that this field doesn’t support regex, so you will need to be specific.

      • Aidan Murphy

        Worked perfectly and loved the quick reply :-)….

      • Aidan Murphy

        Any chance you know how to block YouTube ads? Even if you know a method that doesn’t involve pfsense I would be glad to hear any tips I could Google and work out for myself. I have tried a few things with pi-hole in the past but could never get anything working.

        • In theory you might be able to block *.googlevideo.com, but I have never tried it myself.

          That said, I’m not sure if I’m even getting ads on YouTube currently, but I’ll try to pay more attention.

          • Aidan

            Sorry for doing your head in, but I have tried a few things now to get the amazon shopping app for android to work any chance you have any idea what to whitelist to get it working?

            Also I found a list that blocks YouTube ads. In case anyone else wants to block YouTube ads just ad this to the DNSBL feeds

            https://raw.githubusercontent.com/kbinani/adblock-youtube-ads/master/signed.txt

            It worked for me

          • No problem, and glad to help.

            I forget exactly what you need to unblock since I normally just use the web version. That said, the easiest thing to do in this case is to go to the logs and view the dnsbl.log file. This will show you what was blocked most recently, and you can start white-listing via that!

            Awesome, thanks, I’ll have to give it a try if they aren’t already there.

  9. Alberto

    good morning
    is possible add category also form shalla or ut1 ?

    thanks Alberto

  10. Michael Weyant

    Okay I just wanted to throw this out there. Here is a collection of lists that are well vetted and up to date. https://isc.sans.edu/suspicious_domains.html

  11. I cannot get pfBlockerNG to work. First I loaded a page while using pi-hole in its own browser tab. I then changed DNS from pi-hole to my pfsense server and then opened the same page in a new tab.
    pi-hole pages has blank areas where ads would have been
    pfBlockerNG has the original ads.

    I added the lists from pi-hole “adlists.default” to pfBlockerNG one by one , and then force updated. I watched the update log go through each list and load it, then it restarted Unbound.

    As far as I can tell , everything is enabled.
    pfBlockerNG is enabled
    DNSBL is enabled
    DNS Resolver is enabled ( and working )
    *** note that my DSN Resolver has this option checked “DNS Query Forwarding Enable Forwarding Mode” is this the problem?

    • Nm, that was the problem! I’m on Day 2 of using pfSense and I’m finding that it’s a great investment of my time. For the record I’m running it on the Netgate SG-3100 with pfsense 2.4.1 .

      • Sorry for the late reply, back to back on-site engagements for clients!

        Great, I’m glad you figured out the problem and that it is now working for you. Did you pickup the Netgate from eBay, or somewhere else? How are you liking running it on that device?

  12. Pat

    Thanks for taking the time to build this blog post dude. I’ve got DNSBL on my pfSense running now.

  13. Tom

    I never got this thing working after spending two full days on it. It doesn’t play nicely with OpenVPN. The two modules basically hate each other. AdGuard actually works better anyway as it attempts to fix the formatting of the page after it removes the ads.

    In fact, I actually gave up using pf sense as a system-wide filter. My house is full of wifi tech including the lighting, fans, audio, televisions, security, locks, thermostat and Echo Dots for voice control. Throwing pfSense into the mix was disastrous. Every time I got close to fixing one thing, two other things would break. LOL. I almost jumped off the balcony. I finally pulled the pfSense box out of the main line and put it where it needed to be–the wired units that are exposed and cannot protect themselves well, namely the TV streaming systems. Sure, the computer needs a firewall, but running it locally means I can turn it off when it is not working properly.

    • I haven’t actually tried with OpenVPN, but it should work just fine out of the box. Never used AdGuard, but that sounds like a nice feature at least.

      Haha, IOT devices are one of the reasons that I WANTED DNSBL/pfSense (blocking all of the garbage that they are sending back). That seems like a reasonable setup though, and glad it works!

  14. J.G

    I’m having an issue with a website where the comment section is not loading. If you have pfblocker active go to politico.com and try to load the comment section of every article and you will see that it will not work.

    Ads are being blocked fine but i just need the comments section to load properly

    Any help is appreciated

    • Hi!

      You are likely experiencing this issue due to something (possibly ads or a 3rd party library) being blocked by pfBlocker.

      I am away from my pfSense installation for a bit, but I will try to walk you through the steps for troubleshooting and fixing this issue. I’ve run into it on a few sites, and it is normally not too bad to fix.

      In this case, what I normally do is go to the pfBlocker -> dnsbl.log file under “Logs”. Once you see what is being blocked on that page that is important, you can add that domain (no wildcard) to your pfBlocker Whitelist (towards the bottom of the settings page).

      Once you do that, you can reload your lists under “Sync” and the page should work just fine. If that doesn’t work or help, then I’ll gladly post a tutorial on it once I get back!

  15. “Enable TLD (BETA)”

    trigger this on may helps domain based DNS block.

    Ex:
    facebook.com

    blocks facebook.com, http://www.facebook.com, jp.facebook.com, tw.facebook.com

    Thanks for your share, really helps!

    • Definitely an option, but can also cause some speed/performance issues. That, and I don’t want to mess with more white-listing than I need to!

      Thanks, and glad to help.

  16. Glen

    I have followed your instructions and I’m unable to get to certain sites. Where do I check to see if I’m being blocked by one of the lists?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.