Blocking Ransomware download Domains
-
Using the DNS forwarder with domain override will do the job? Is it a proper way?
https://ejnetwork.wordpress.com/2014/08/04/blocking-domains-with-pfsense-using-dns-forwarder/ -
You could create a dummy DNS entry for that host name. Point it to some unused RFC 1918 address. Then it won't go anywhere else.
-
You could create a dummy DNS entry for that host name. Point it to some unused RFC 1918 address. Then it won't go anywhere else.
Where to create the entry?
-
Ok, got it this way:
https://forum.pfsense.org/index.php?topic=132892.msg730573#msg730573 -
Ok, got it this way:
https://forum.pfsense.org/index.php?topic=132892.msg730573#msg730573That shows how to force DNS requests to the firewall. Once there, you have to provide an address or the request will use the address provided from whatever DNS you use. On the DNS Resolver and Forwarder pages, you can use host overrides to assign the dummy address to the host name.
-
Proper "poor man's" way would be creating host override DNS entry in Resolver/Forwader and pointing to your local web server (with 'french-cooking.com' vhost). That way you:
- will impede dropper from obtaining it payload
- will know (from access logs on your web server) if you have infected machines on your network.
Real proper way would be implementing IDS/IPS system, but that is another story how to do.
-
https://ransomwaretracker.abuse.ch/ has DNS and IP blocklists that you can automatically import into the pfBlocker plug-in, which will create and update aliases, which can then be used in your firewall block rules for ingress and egress.
-
Thank you Guys.
https://ransomwaretracker.abuse.ch/ has DNS and IP blocklists that you can automatically import into the pfBlocker plug-in, which will create and update aliases, which can then be used in your firewall block rules for ingress and egress.
I know its off-topic, but can i safely install/use the latest pfBlocker plugin (2.1.1_8) for an older pfsense release (2.3.2-RELEASE)?
-
This post is deleted! -
@Finger79
I get a 503 error when hitting https://ransomwaretracker.abuse.ch/ from pfBlockerNG and the web. Temporarily down? Are there other ransomware tracking feeds for pfB? I didn't see any that specifically listed ransomware.
