DNSBL native support?

CreationGuy

I've been playing with OPNsense and found that it's unbound has built in dnsbl where I can add lists to it. I've done that and it is not taking up the amount of RAM that it does on pfsense and pfblockerNG using default settings (Stephen blocklist) and only added this one list: https://unbound.oisd.nl/nsfw/.

Does pfsense have plants to support a native dnsbl like opnsense?

Gertjan

@creationguy said in DNSBL native support?:

Does pfsense have plants to support a native dnsbl

For DNSBL you don't need pfblocker.

Download your oisd_unbound_nsfw.txt file into (example) the /root/ folder.

Then, do what we all did before : inform unbound to use the list :

Remember : pfblockerng is nothing more then a tool that download (updates) lists.
It also handles the doubles between lists, makes stats, etc etc etc
But it does not do the actual DNSBL job : that's still unbound.

Bob.Dig

@creationguy said in DNSBL native support?:

Does pfsense have plants to support a native dnsbl like opnsense?

It took them quite a while for that GUI support... but they step up their game lately it seems.

Gertjan

@bob-dig said in DNSBL native support?:

It took them quite a while for that GUI support.

I would call pfBlockerNG-devel DNSBL GUI support ;)

Bob.Dig

@gertjan I meant the other guys.

And you have to make some kind of Suppression for your local IPs though when using IP-Block lists (not DNSBL) there, so pfBlockerNG on pfSense is still superior.

CreationGuy

Thank you, I'll give it a try. I do prefer pfsense over opnsense although it has its strong points as well.

I want to buy an appliance rather than build a new, mini computer for it to support the devs but also to reduce my power consumption. I just wish that the 4100 had more RAM, pfblockerng is such a hog.

CreationGuy

@gertjan said in DNSBL native support?:

@creationguy said in DNSBL native support?:

Does pfsense have plants to support a native dnsbl

For DNSBL you don't need pfblocker.

Download your oisd_unbound_nsfw.txt file into (example) the /root/ folder.

Then, do what we all did before : inform unbound to use the list :

Remember : pfblockerng is nothing more then a tool that download (updates) lists.
It also handles the doubles between lists, makes stats, etc etc etc
But it does not do the actual DNSBL job : that's still unbound.

If I wanted a white list, what is the process and would I be able to use regex?

Gertjan

@creationguy said in DNSBL native support?:

If I wanted a white list, what is the process

Download your list, or several lists,
Merge them,
Remove the doubles,
And then, one by one, remove all the DNSBL that you wanted to have white listed.

Or install pfblokcerng-devel, as it does exactly that for you.

regex : you need to intercept every dns request with a script. That is what the python-mode is all about.

CreationGuy

@gertjan Thanks for your preferential answer on trying to gear me in another direction. I simply wanted to know how to do this in a technical manor. I'll research else where.