Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can pfBlocker Sinkhole an Address? Domain Overrides?

    Scheduled Pinned Locked Moved pfBlockerNG
    17 Posts 3 Posters 2.5k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.DigB Offline
      Bob.Dig LAYER 8 @coffeecup25
      last edited by

      @coffeecup25 First you could delete the VIPs created by pfBlocker and see if this helps you. But they will be recreated by update reload or maybe even at every update.

      C 1 Reply Last reply Reply Quote 0
      • C Offline
        coffeecup25 @Bob.Dig
        last edited by coffeecup25

        @Bob-Dig Thanks, but I am looking for something as seamless as I had it with pi-hole.

        I have my new pfSense router installed and working. It's a new 2.5gb i226 Chinese PC. I had a shuttle DS68U a while ago and replaced it with a TP-Link ER605, which is a nice router. Simple but it does the job, mostly. I went back to pfSense because I needed failover from Hyper-V Ubuntu Server Pi-Hole. Also, I like having more than 1 Admin with pfSense. Pihole has a much nicer interface, however.

        Now I have Hyper-V / Pihole failing over into pfBlockerNG. A nice temporary fix.

        I'll configure the new pfSense PC for a while, then build an R&D home server with Linux. If it does the job I need I will replace both Windows home servers and be done with them as too unreliable.

        Bob.DigB 1 Reply Last reply Reply Quote 0
        • Bob.DigB Offline
          Bob.Dig LAYER 8 @coffeecup25
          last edited by

          @coffeecup25 said in Can pfBlocker Sinkhole an Address? Domain Overrides?:

          @Bob-Dig Thanks, but I am looking for something as seamless as I had it with pi-hole.

          Have you tried Host Overrides? I don't know if they have a higher priority than what pfBlocker does.

          C 1 Reply Last reply Reply Quote 0
          • C Offline
            coffeecup25 @Bob.Dig
            last edited by coffeecup25

            @Bob-Dig

            Not Host Overrides yet. I'll look into it. Thanks.

            Also, I added point 3 above a minute ago. Whitelisting the offenders in pfBlockerNG will hopefully allow the LAN Rule to do the same thing. Sorry.

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB Offline
              Bob.Dig LAYER 8 @coffeecup25
              last edited by Bob.Dig

              @coffeecup25 I just tried it and it worked, for now. No pfBlocker webpage is delivered, a timeout occurs instead. That seems to be what you want.

              Capture.PNG

              C 1 Reply Last reply Reply Quote 1
              • C Offline
                coffeecup25 @Bob.Dig
                last edited by

                @Bob-Dig

                Thanks A Lot. This could be a big deal for all pfBlockerNG users who use Roku and hate all the pollution Roku adds to LAN traffic.

                Bob.DigB 1 Reply Last reply Reply Quote 0
                • Bob.DigB Offline
                  Bob.Dig LAYER 8 @coffeecup25
                  last edited by Bob.Dig

                  @coffeecup25 said in Can pfBlocker Sinkhole an Address? Domain Overrides?:

                  who use Roku and hate all the pollution Roku adds to LAN traffic.

                  I never heard of that problem, maybe there are other ways to cope with this.

                  C M 2 Replies Last reply Reply Quote 1
                  • C Offline
                    coffeecup25 @Bob.Dig
                    last edited by

                    @Bob-Dig

                    A review of your block logs will show lots and lots of calls to a select few Roku addresses. pfBlockerNG logs are not as clear as Pihole logs nor as comprehensive. Pihole shows blocked and passed DNS queries. pfBlockerNG only shows blocked, although that should be enough for this purpose.

                    Most people don't care, I assume, if the network works OK. But Pihole's more comprehensive logs show how badly Roku pollutes the LAN. I never saw it until I switched over to Pihole a few years ago.

                    AdGuard Home has nice looking screens, but my short visit to AdGuard Home showed Pihole was more granular, just not as pretty.

                    If I get the Linux servers working (one main home server and one for backup) then Pihole should be rock solid compared to using a Hyper-V VM. pfBlockerNG will be for last line failover. Under Hyper-V, both Pihole servers failed and the network when down. Never again. Hyper-V is a nice, but Windows makes it too unreliable with all the ads it pushes as it forces unattended reboots.

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      michmoor LAYER 8 Rebel Alliance @Bob.Dig
                      last edited by

                      @Bob-Dig yeah. Same.
                      I’ll be honest with you I’ve never had a problem on my LAN blocking Roku telemetry. Nothing is slow. Monitoring shows traffic avg around 120Mb each day. Guess I’m…. Lucky? 🤷🏽

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      C 1 Reply Last reply Reply Quote 0
                      • C Offline
                        coffeecup25 @michmoor
                        last edited by coffeecup25

                        @michmoor

                        I agree that the roku blocked address flood does not slow things down noticeably. But it's pollution when you can see a list of every address passed or blocked during a set time period. Especially if you have more than 1 roku device in the house. A large percentage of the entire Lan traffic is a select few roku blocked addresses for a few seconds all day long. Pihole even gives out '1000 dns query warnings' sometimes on my LAN - or at least did until I figured out how to trick Roku. I eliminated about 10,000 queries a day by redirecting a few addresses.

                        However, this flood is not obvious when all you see are blocked addresses. By being able to see passed addresses, by reducing roku dns pollution I can easily see which ones should be blacklisted individually when problems occur, along with which blocks are way too aggressive.

                        Bob.DigB 1 Reply Last reply Reply Quote 0
                        • Bob.DigB Offline
                          Bob.Dig LAYER 8 @coffeecup25
                          last edited by

                          @coffeecup25 You could enable "DNS Reply Logging" in pfBlocker for that.

                          C 1 Reply Last reply Reply Quote 0
                          • C Offline
                            coffeecup25 @Bob.Dig
                            last edited by coffeecup25

                            @Bob-Dig

                            Follows is my final solution. It appears to work well.

                            The problem to solve: pfBlockerNG blocked many addresses repetitively. It appears that 80% of the blocks came from 20% of the dns addresses. I considered that as pollution. Streaming TV is the worst offender.

                            The objective: Continue blocking these addresses, but take them out of pfBlockerNG so lists show everyone except the usual suspects.

                            The solution:

                            1. Identify the polluting dns addresses and put them in an alias
                            2. Create a LAN rule that blocks the addresses in the alias from ever leaving the network
                            3. Whitelist the offenders in ofBlockerNG so the LAN rule gets them instead.

                            Blocking still works very well and pfBlockerNG is bypassed entirely for those addresses.

                            You must reload DNSBL after these changes for pfBlockerNG to know about them.

                            1 Reply Last reply Reply Quote 0
                            • J jrey referenced this topic on
                            • C Offline
                              coffeecup25
                              last edited by

                              This post is deleted!
                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.