pfSense DNSBL – No more ads for me!

Some time ago I setup my pfSense DNSBL, and I wanted to share my configuration and results.

A DNSBL is a list of domains that the application/network does not properly resolve, hence the “black-hole”.

Originally, DNSBLs prevented spam e-mails from reaching users.

In this case, I wanted to block as many ads, malvertising, etc. as possible.

pfSense DNSBL – pfBlockerNG

To start, I installed the pfBlockerNG package by going to System -> Package Manager -> Available Packages. To quote their description, “pfBlockerNG is the Next Generation of pfBlocker. Manage IPv4/v6 List Sources into ‘Deny, Permit or Match’ formats.”

Once I installed the plugin, I was able to configure it by going to Firewall -> pfBlockerNG.

I enabled the blocker, told the settings to persist, and set the CRON job to run every 3 hours.

pfSense DNSBL - pfBlockerNG

After I enabled the blocker, I clicked on DNSBL to configure my block list.

I enabled DNSBL, set my Virtual IP to 10.10.10.1, and kept my listening ports and interface default.

pfSense DNSBL - DNSBL

With the basic settings in place, it was time to set up my actual block list!

Selecting the DNSBL Feeds menu option and clicking “Add” allowed me to create a new DNS Group with any number of block list feeds.

I started with a number of lists from the Pi-hole ad block list.

NOTE: Do not put a link to the Pi-hole ad block list directly, but rather to each individual entry. If you do this (trust me, I did at first), then you will only block your access to the actual block list feeds in question. To fix this you will need to remove the block, clear the feeds, clear the caches, and possibly restart your router.

Once I had my feeds selected, I added them to my new DNS Group.

pfSense DNSBL - Feeds

To test my feeds, I tried to visit advertising site directly, and the router blocked my DNS request!

pfSense DNSBL - Ad Blocked

ntopng

As a bonus, I also setup ntopng for some basic visualization.

Per their package description, “ntopng (replaces ntop) is a network probe that shows network usage in a way similar to what top does for processes.”

Once I installed the package, I was able to configure it by going to Diagnostics -> ntopng Settings.

I enabled the plugin, told my settings to persist, changed the default admin password, and configured it for my LAN.

pfSense DNSBL - ntopng

After the plugin was running, I logged in and took a look at my Talkers flow.

pfSense DNSBL - ntopng Login

pfSense DNSBL - ntopng Talkers

This was pretty neat to watch, but not anything that I see myself using for now.

Additionally, the interface chart was cool to see how much bandwidth my network was using, and when.

pfSense DNSBL - ntopng traffic

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.

25 Comments

Filed under Security Not Included

25 Responses to pfSense DNSBL – No more ads for me!

  1. Chrisg

    Hey Doyler, great post. Will have to check this out. Your PFSense is deployed at home? If so, is your hardware a PC or did you actually purchase the PFSense firewall?

  2. Peter

    Stupid question but did you have to point your internal systems to the pfsense box as it’s DNS resolver? Do you need change your DNSBL from “disabled” to “unbound”? Do I need to enable and configure unbound as a forwarder or resolver of some sort?

    • Not stupid, and glad to help. Since pfSense was already my router and providing DHCP, my internal systems were already pointing to it for DNS resolution. That said, I do have DNS resolver (not Forwarder) enabled so that it can actually perform the resolution and use the DNSBL. You will need to enable and configure Unbound (this is just the name of DNS Resolver in Services -> DNS Resolver). Most of my settings are default though, so it isn’t much extra work.

  3. josh

    hi mate im wondering if you could help me cant seem to get it to block anything
    is there any chance you could add me on skype joshhopey would be great if you could

  4. Joel

    Hey Doyler, great write up! I’m new to pfSense so I’m a bit confused. I have Google set as my DNS Server. Should I leave that blank for my ads to be blocked or can I still use 8.8.8.8 and my ads will be blocked on my mobile devices?

    • Hi Joel,

      Thanks, and glad to help! You will need to use the DHCP provided DNS server (your pfSense box – 192.168.1.1) on all of your internal devices.

      Then, if you want to continue to use Google as your outbound DNS server, then you can set that under System -> General Setup

  5. Heads up, pfblocker now supports domain blacklists for web filtering purposes, including support for Squidblacklist.org subscribers.

    We are a subscription based service, gotta pay the bills, but we do have some free stuff for the community as well, so come on over and check it out.

  6. edward oo

    How can I just deploy on Vultr vps
    I gonna use vpn service to block
    Is it posibble?

    Thanks

    • While you could deploy your own DNS server on Vultr, it defeats the point by then.

      First, you should only really be using a VPN service when you have to.

      That said, VPN isn’t really for ad blocking in particular, so it depends on what you’re hoping to achieve. If you do setup your own VPN service, you could setup a DNSBL of your own though.

  7. Bhaskar

    Hi There. Just got my first pfSense device today – a HP thinclient pre-loaded with pfSense 2.3.3. Super excited. Followed your instructions, DNSBL enabled, DNSBL Feeds contain a Group I created with most of the feeds you have shown. However, once enabled, (Update & Cron ran), upon testing with ‘usemax.de’, I’m not seeing it being blocked. Able to reach it just fine. What am I missing?

    • Awesome, great to hear! Hmm, there are a few possibilities. First, are you sure that that site is on one of the feeds you selected? If not, try to select a different URL that you know is on the list. Other than that, are you using your pfSense box as a DNS resolver for your client, or still hitting your ISP/Google directly?

  8. Aidan Murphy

    Hi doyler great guide, i was wondering if you know how to white list a site when using DNSBL I am able to white list stuff when just using pfblockerng but not when using the lists with DNSBL any help with this would be great.

    I must say it again GREAT guide!!

    • Hi Aidan,

      I’m glad you enjoyed the guide, and happy it helped!

      Great question, and I’ve run into that issue plenty. If you go to Firewall -> pfBlockerNG -> DNSBL you will be on the right page.

      From there, go down to “Custom Domain Whitelist” and add your sites. Note that this field doesn’t support regex, so you will need to be specific.

      • Aidan Murphy

        Worked perfectly and loved the quick reply :-)….

      • Aidan Murphy

        Any chance you know how to block YouTube ads? Even if you know a method that doesn’t involve pfsense I would be glad to hear any tips I could Google and work out for myself. I have tried a few things with pi-hole in the past but could never get anything working.

        • In theory you might be able to block *.googlevideo.com, but I have never tried it myself.

          That said, I’m not sure if I’m even getting ads on YouTube currently, but I’ll try to pay more attention.

          • Aidan

            Sorry for doing your head in, but I have tried a few things now to get the amazon shopping app for android to work any chance you have any idea what to whitelist to get it working?

            Also I found a list that blocks YouTube ads. In case anyone else wants to block YouTube ads just ad this to the DNSBL feeds

            https://raw.githubusercontent.com/kbinani/adblock-youtube-ads/master/signed.txt

            It worked for me

          • No problem, and glad to help.

            I forget exactly what you need to unblock since I normally just use the web version. That said, the easiest thing to do in this case is to go to the logs and view the dnsbl.log file. This will show you what was blocked most recently, and you can start white-listing via that!

            Awesome, thanks, I’ll have to give it a try if they aren’t already there.

  9. Alberto

    good morning
    is possible add category also form shalla or ut1 ?

    thanks Alberto

  10. Michael Weyant

    Okay I just wanted to throw this out there. Here is a collection of lists that are well vetted and up to date. https://isc.sans.edu/suspicious_domains.html

Leave a Reply

Your email address will not be published. Required fields are marked *

*