If you are using static mappings in the DHCP, I believe that one alternative to modifying unbound's custom options would be to specify DNS servers in the DHCP static mapping(s) of the host(s) that you wish to exclude from DNSBL. Of course, this is only if you're willing to use other DNS servers. For example:
e34b1368-01ba-42a4-9823-862e35fed9b7-image.png
That way, the host(s) won't use the pfSense machine for DNS at all. Note that you would need to take additional steps for this to work if you have also configured a NAT port forward to redirect any DNS requests from hosts on your LAN to unbound.

Also, keep in mind DNSBL IPs (if enabled), which are handled via firewall rules instead of unbound:
8942b15e-05a0-427a-8c20-3fc57f2a1077-image.png

If you want certain static IPs to also be excluded from this, you can set the list action to Alias Deny, as in my screen shot, and then create your own block rules that do not apply to the static IP(s) in question. Or you could leave the List Action set to one of the "Deny" options that automatically creates rules, but configure advanced rules that exclude your static IP(s):
100b1944-6399-4c4a-950b-6012b05a0edd-image.png

@BBcan177, if any of this is terrible or misguided advice, please feel free to set me straight 😉

The following PR has been created for Feed Maintenance and a change to the cURL user-agent string:
https://github.com/pfsense/FreeBSD-ports/pull/674

Please consider supporting the project:
https://www.patreon.com/pfBlockerNG

@RonpfS

Ok, so I don't use pfblocker for this at all :)

I created an alias with all the ip addresses I want to block

Under Firewall/Rules/LAN1 I created a rule
Reject
LAN1
IPv4
Any

Source Any
Destination 'Single host or alias' 'my_alias'

I placed the rule after the Pfblocker auto rules and it seems to be working but the question is if I did it correctly ?

Many thanks for the simple solution 👍

@Stewart said in Can't tell if pfBlocker is being updated:

@NogBadTheBad

I'm having to do that since I can't just whitelist the USA. I'm having to block countries that I've seen attacks on the NATed ports and am now adding in IPs that aren't being blocked by the lists. Gotta stop them somehow. Does pfBlockerNG-devel use different lists?

Create an Alias Permit rule using the US GeoIP and apply it to the NAT rules, everything else would be denied by default.

You can also add IP addresses to the IPv4 Custom_List at the bottom.

Here's how I allow SSH / SFTP to my Raspberry Pi that sits in the DMZ.

Screenshot 2019-09-19 at 16.20.39.png

Screenshot 2019-09-19 at 16.18.41.png

@NogBadTheBad Okay Brother Thanks i am using Kiwi Syslog for tracking this.

Got Ya!

Yeah, I was in a rush last night and posted in the wrong place for a start also didn't have time to search bit I shall check out the links chears.

This can be deleted by staff if need be ;)

I had already rebooted once, but I rebooted again, just as I was getting ready to do a full reinstall and was able to add back my custom options and dns is working. The 'dnsbl' line happens to fall on line 108, so I guess it was still cached?

I think everything is normal now... having been struggling with this all afternoon...

@Ojisang said in pfblockerNG Whitelist Clarification:

I wanted to add an alias in the rules using the pfblockerNG whitelist but I couldn't.

Add an Alias to the rules using the whitelist?

OK now I'm completely confused. Could you please detail, what you're trying to achieve?`To me it sounds like you're trying it the wrong way?

@Gertjan said in DNSBL - Alerts not showing IF or SOURCE:

As already said back in 2017 :

@BBcan177 said in DNSBL - Alerts not showing IF or SOURCE:

This is fixed and will be in the next release…

Install pfBlockerNG-devel

Thank you so much! I totally have forwarding on. Furthermore, I realized that specific lists were super trigger happy so I will be debugging sources one by one I guess

@jakes
Yes this will be possible with the upcoming Unbound python integration, but this "profile" feature is not currently completed. I agree that this will be a great feature to have including scheduling times for rules to apply to different profiles...

There are some screenshots and info of the upcoming version on my Patreon page: https://www.patreon.com/pfBlockerNG

Thanks for the answer.

I ended up just leaving it to run the CRON job for a day rather than forcing the update.

It cleared itself up. Sorry for the unsatisfying resolution!

@damelloman said in Pfblocker … is this normal after 3 hours of uptime:

I kept doing the wrong thing and "blocking the whole world" and didn't know HOW to do this. Thank you all for helping me understand! :) Smarter not harder!

We all as newbies did this only to learn later that it made no sense.

Solved.

Ok Thanks

:( maybe it not working with IE too?)
What dev console is saying?

@snore It depends on how many entries you want to display as well as the size of the log files.

On my pfsense I show 150 Alerts for IP and DNSBL,
I keep 100 000 lines for both IP and DNSBL log files.

It takes 10 seconds to display.

Unbound 1.9.3 will allow multiple Python modules: https://github.com/NLnetLabs/unbound/pull/6

@dragoangel That's my same thoughts as well because when I had setup mine, I didn't have to do anything special to access Google services.