edit : I found this post, created hours ago, not posted. So I finished it up and posted.
Basically, what @SteveITS said above ^^
@cburbs said in PfBlocker and Paramount +:
Like : when the device asks for host name to be resolved, like an add server, this host name will now be avaible ... for all your LAN devices, as it's now part of the resolver's cache.
Ones a host name is white listed, it will be whitelist for all your LAN network devices.
The "use the pfBlockng Python Group Policy" function (list with requesting IPs) will short circuit the DNSBL handling.
Example :
A device wants to resolve "horrible-add-server.com", so it sends a request to the upstream DNS, pfSense = unbound.
Unbound will receive the requests, and checks its local cache if it wasn't already resolved = locally known. If it is, answer is returned straight away to the requesting LAN device. Take note : no DNS resolving was needed, a cache hit will return the answer direct.
If the host name "horrible-add-server.com" isn't available locally, the resolve process kicks in.
It's this process that first calls a local unbound plugin = our pfBlockerng script. The plugin interface doesn't use shell, PHP, LUA, or a binary, no, it uses Python. hence the name 'Python mode'.
This Python script starts by checking if the requester is listed under "Python Group Policy", and if it is, "Ok" is returned right away : resolving starts and the answer is return to the requesting device.
Take note : and the answer is placed in the local unbound cache.
Now you understand that if a whitelisted "Python Group Policy" that will request "horrible-add-server.com" will make the resolved result avaible to all LAN networks.
... and this is why I wish a knew of a way to just do exclusions for a single device.
I think there is.
It's called "views".
Go here : Services > DNS Resolver > General Settings and look at this page from top tho bottom.
( Have a look at the Advanced Settings page )
The good news is the bad news. Read this ....
And now you know there are more possibilities - waaaay more possibilities.
Probably most of the are accessible with this :
[image: 1764832409373-d62cadd5-b3a4-4fa8-91c0-d67b73c498ee-image.png]
Like the good old days : you have to create your own 'extended unbound config', and you'll need the manual.
You'll discover that 'views' exist, so you can use these to have unbound work for differently on a network (LAN) level and even device level - never tested this myself though, but others did.
Some examples are present here on this forum.
So, you want special things 'just for you' : that's ok, but you have to go outside of what the pfSense (and pfBlockerng) GUI can do for you. A GUI can only offer a small percentage of all the available possibilities (of unbound).
