Custom DNSBL block list for specific hosts
-
Hi all,
Apologies for my ignorance, I'm very new to pfsense and pfblockerng.
For reference I'm running 2.7.0 which is apparently the latest version.
I am trying to create a custom block list using DNSBL.
I want to be able to create a custom DNSBL block list and assign it to specific hosts on my network.So far I have:
- Created an alias with the host's static IPs assigned to it.
- Created a new DNSBL Group and added the domains I want to block to the DNSBL Custom_List at the bottom.
I assumed my next step would be to enable the custom list in the Feeds tab but it doesn't show up in the Unknown user defined Feeds section.
I think where I'm going wrong is in the DNSBL Group settings under DNSBL Source Definitions.
I have only added firebog DNSBL lists before by specifying the URL but I don't know how to direct pfblockerng to use the list of domains in the custom list at the bottom of the page, rather than look for a URL or local .txt file.Once I've figured this part out, then I'll also need help understanding how to apply this DNSBL block list to the alias I created earlier with the specific IP's I want to use the block list on.
Any help is much appreciated.
Cheers,
Zhigre. -
@Zhigre said in Custom DNSBL block list for specific hosts:
I don't know how to direct pfblockerng to use the list of domains in the custom list at the bottom of the page
you don't need to. if domains are specified using the proper syntax in the DNSBL Custom_List box, they will be parsed by the pfb_dnsbl service for that DNSBL Group. (you can optionally include additional DNSBL Source Definitions by URL or local file—or simply leave that section blank.) if the Action for that DNSBL Group is then set to "Unbound", any/all parsed domains for that DNSBL Group, including those specified in the DNSBL Custom_List, will be blocked.
I'll also need help understanding how to apply this DNSBL block list to the alias I created earlier with the specific IP's I want to use the block list on.
not possible. DNSBL is applied to unbound, i.e. the 'built-in' DNS Resolver. any clients that use said resolver will be subject to any configured DNSBL.
Python Group Policy under DNSBL tab is the only DNSBL configuration that can selectively disable DNSBL for explicitly-defined IP addresses. you might consider this most-restrictive approach where all hosts on your network configured to use the DNS Resolver are subject to configured DNSBL unless specifically excepted.
-
@cyberconsultants
Thanks for the quick reply. Perhaps I should take a step back and ask if my overall goal is possible to achieve with pfSense & pfBlockerNG.My son is grounded for a couple of weeks and I wanted to be able to selectively block things like youtube, netflix, facebook, tiktok etc during this period just on his devices (phone, laptop).
Currently I only use pfBlockerNGto block things like trackers and ads across every device on the network.
I was hoping that it would be possible to have more granuar control to achieve my goal above.
I thought I might be able to do it with DNSBL settings but would there be any other ways I could try?Cheers,
Tom. -
@Zhigre forgive me in advance for only brainstorming with you here—but i think i literally just now might have thought of a way for you to accomplish this (albeit slightly unintuitively):
Firewall / Aliases / IP
Create a "Network" type alias (not a "Host" type) and specify any/all IP addresses of your son's devices one-by-one in CIDR notation. i.e., [IPv4 address]/32 and [IPv6 address]/128. Do not use "pfB_" in the alias name.Firewall / pfBlockerNG / IP (not DNSBL)
1.) create two separate IP feed groups, one for IPv4 and one for IPv6—the rest of this list applies the same for both.2.) Action set to "Deny Outbound"
3.) Update Frequency set to "Every Hour"
4.) under Advanced Outbound Firewall Rule Settings section, tick the Custom Source "Enable" checkbox, and type the name of the Network-type alias you created into the Custom Source box. (you'll know if it was created properly if auto-complete appears.) Custom Protocol must be set to TCP/UDP.
5.) enter your list of domains into the respective IPv4 Custom_List and IPv6 Custom_List boxes. check the "Enable Domain/AS" checkbox.
6.) Force Update | Reload
this will basically use pfB to resolve your list of domains to IPs, and then make use of the Firewall 'Auto' Rule function to create a floating firewall rule blocking any traffic sourced from your son's devices destined to said resolved IPs. (make sure to review Firewall / pfBlockerNG / IP / "IP Interface/Rules Configuration" section to confirm it's configured as-desired.) check your ruleset following the Reload to confirm.
update with any snags you hit, and/or screencaps of the custom IP Feed Groups and floating firewall rule if everything takes but doesn't seem to be working as intended.
-
@Zhigre some brainstorming:
Use parental controls; MS and Apple are pretty good at that (Windows needs an MS account and Edge).
PfB has a poorly named “group policy” box:
“This is a preliminary DNSBL Group Policy configuration that will bypass DNSBL for the defined LAN IPs. (No Subnets allowed)”
So, block all and bypass for not-your-son.IPv6 uses temp addresses making it difficult to identify one device.
IT savvy kids can set a static/different IP.
PfBlocker can create aliases by ASN to contain all IPs for a company.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS said in Custom DNSBL block list for specific hosts:
IT savvy kids can set a static/different IP.
good point.
@SteveITS said in Custom DNSBL block list for specific hosts:
PfBlocker can create aliases by ASN to contain all IPs for a company.
it can also resolve domains to IPs using the same function.
-
@cyberconsultants said in Custom DNSBL block list for specific hosts:
it can also resolve domains to IPs using the same function.
pfSense can do that too without pfB but overall it depends upon the IP not frequently changing. In any case it’s not necessarily a straightforward problem/solution.
I believe Unbound also has “views” if OP can figure it out.
I was not excited about using MS/Edge but one can block other programs/browsers and lock Edge down pretty well.
-
@SteveITS said in Custom DNSBL block list for specific hosts:
pfSense can do that too without pfB
ah, true. so you really could do this entirely without pfB.
but overall it depends upon the IP not frequently changing.
the interval for alias FQDN re-resolution is not specified ("FQDN hostnames are periodically re-resolved and updated.") would have to go digging for that specific answer.
but if it's greater than an hour, i guess maybe therein lies one advantage of using pfB over aliases + manual firewall rule: pfB can be set to update every hour (with it then automatically creating the rule/s being another).
-
@SteveITS said in Custom DNSBL block list for specific hosts:
IT savvy kids can set a static/different IP.
Thankfully he's one of the least IT savvy kids around so that would be very unlikely at this stage.
-
This post is deleted! -
Can I block all and bypass for devices that aren't his but still be blocking the other content in the firebog lists on all devices?
Also, I've set static IPv4 addresses for all devices in the home.
-
@Zhigre the solution i've proposed would have no effect whatsoever on any other pfB configuration you already have in place. (it's actually preferable to what i originally mentioned with the Python Group Policy function, where any excepted devices would be completely excepted from all DNSBL.)
all devices on the network would continue to be 'protected' the way you have pfB configured now—and then only your son's devices would additionally be blocked from passing traffic to any IPs resolved from your custom domain list.
-
@cyberconsultants
Thanks heaps for the assistance, I'll try to implement that soon and let you know how it went :)
