@Gertjan Just a friendly poke -- I took your post as "funny, as it is meant to be" - others it appears, assumed you were serious about avoiding it because it is "free". I'm a "paid free" user as well, with real netgate gear, but that wasn't the point. The person raising the question has a configuration (or other issue) it has nothing to do with it being product or list being "free" or "spam".

@chrcoluk Yep. Is known : Problem with Python Group Policy - Cached Domains

Hit the same issue myself, everything ran fine for years, but two things happened. Letting neighbour use my network currently, as they got no broadband, and they have a TV that is absolutely unreal in terms of DNS traffic, hence recently all me doing stuff on pfblockerng. Decided to change pfblockerng cron from hourly to daily as I had nothing updating more often than daily anyway. This combination seems to have unsettled the pfblockerng web server, I wouldnt personally call this a sinkhole as its a webserver responding to requests, a sinkhole is a null route like replying with 0.0.0.0. Obvious solution is to stop using the VIP filtering, if that keeps all the dnsbl logging then no issue, but I read in the thread VIP, stats only accrue from VIP traffic. I see a ton of states in fin wait, so looking to see if the time outs can be reduced, seeing also if the web server is actually caching content or fetching its index from storage every time. I see its configured with 4096 bit keys, over kill for this sort of thing and also a top end EC. The index.php seems to be deliberatly configured to not cache, but I can see why, as its used for logging stuff, which would break if cached by the client, I think I will just move some stuff of the web server.

I have made an observation with the speedtest android app, it looks like it does sneaky DoH queries to bypass your network's DNS, after I added a DoH blocklist, the app will report connectivity issues with the go button a red colour, however any tests still run fine, so it does fall back to system DNS.

@UncleBilly Ah, right! Apologies for the unproofed reply. The infoblocks are always key wherever they appear.

@Bob-Dig Super; thank you for taking the time to help. This has been driving me bananas.

@Antibiotic I assume, you're talking about a VPN service provider to access the internet. So yes, then you have to select your LAN. pfBlockerNG adds rules for outbound traffic to the internal interface, e.g. LAN, likewise as you manually can restrict the outbound traffic by rules.

@Antibiotic Oh, sorry finally found this option. Can close this question))

@ephedan In short, pfsense is not a content filtering device. pfblocker is very limited in this regards in that there are not per interface dnsbl rules. Any vlan that uses pfsense for DNS is subject to the same content policy on pfblockerng. If this is a home situation, my advice would be to use Adguard or Pihole which has greater functionality.

@aivxtla Here you are: s3.amazonaws.com s3-1.amazonaws.com # CNAME for (s3.amazonaws.com) .github.com .githubusercontent.com github.map.fastly.net # CNAME for (raw.githubusercontent.com) .gitlab.com .sourceforge.net .fls-na.amazon.com # alexa .control.kochava.com # alexa 2 .device-metrics-us-2.amazon.com # alexa 3 .amazon-adsystem.com # amazon app ads .px.moatads.com # amazon app 2 .wildcard.moatads.com.edgekey.net # CNAME for (px.moatads.com) .e13136.g.akamaiedge.net # CNAME for (px.moatads.com) .secure-gl.imrworldwide.com # amazon app 3 .pixel.adsafeprotected.com # amazon app 4 .anycast.pixel.adsafeprotected.com # CNAME for (pixel.adsafeprotected.com) .bs.serving-sys.com # amazon app 5 .bs.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com) .bsla.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com) .adsafeprotected.com # amazon app 6 .anycast.static.adsafeprotected.com # CNAME for (static.adsafeprotected.com) google.com www.google.com youtube.com www.youtube.com youtube-ui.l.google.com # CNAME for (youtube.com) stackoverflow.com www.stackoverflow.com dropbox.com www.dropbox.com www.dropbox-dns.com # CNAME for (dropbox.com) .adsafeprotected.com control.kochava.com secure-gl.imrworldwide.com pbs.twimg.com # twitter images www.pbs.twimg.com # twitter images cs196.wac.edgecastcdn.net # CNAME for (pbs.twimg.com) cs2-wac.apr-8315.edgecastdns.net # CNAME for (pbs.twimg.com) cs2-wac-us.8315.ecdns.net # CNAME for (pbs.twimg.com) cs45.wac.edgecastcdn.net # CNAME for (pbs.twimg.com) cs2-wac.apr-8315.edgecastdns.net # CNAME for (pbs.twimg.com) cs2-wac-us.8315.ecdns.net # CNAME for (pbs.twimg.com) cs45.wac.edgecastcdn.net # CNAME for (pbs.twimg.com) .pfsense.org .netgate.com

Google tag manager might be causing this as it gets blocked a lot, it might be required now as a whitelisted item, can anyone confirm this?

@Gertjan I do have the MAXMind ID set up. How do I apply the same settings to inbound access rules, such as VOIP, and IIS,?