PfBlockerNG v2.0 w/DNSBL
-
Few things I found out while beta testing V2
- First rule is take your time and be patient. Adding to may rules at once will casue alot of blocks you may or may not way. Wildcards are not supported, or wanted in most cases. For example adding google.com does not filter all the hosts for the domain, need to add each host that is being blocked to the filter lists
- Make sure to double check ASN's, especially for large companies that have acquired other companies, more than one ASN might exist
*** Unbound has an issue in my setup using OpenVPN connected to PIA. It does not start correctly when a network issue is sensed, em1 or openvpn interfaces flap for example. The core problem seems to be how the rc scripts handle unbound reload. They do a HUP vs reload to get around the cache being lost. Disabling "DHCP Registration" or "Static DHCP" was a workaround that allowed unbound to start correctly. - Checking "DHCP Registration" or "Static DHCP" causes other issues with unbound, this is a know issue being talked about in the DNS forum. I added all my hosts host to unbound statically as a work around
- I wanted to have my allow rules > pfb block rules > my block rules > my per interface rules. Did this by enabling "Floating Rules" and using "pfb_pass/match | pfsense pass/match | pfb_block/reject"
- If you have WIFI make sure to enable "DNSBL Firewall Rule" and select both LAN and WIFI or the NAT: Port Forward rule for 10.10.10.1 is not setup correctly. If you don't change this setting things still work but everything runs slow over wifi.
- Make sure to whitelist all the DNSBL sites FQDN via an allow aliases, some IPv4 block-lists include the IP space the DNSBL are found in
- DBSBL is basicly a man in the middle for DNS so any site that is block but running https will create warrnings. Depending on how the brower is setup it might just ignore or not display the error. CTRL+SHIFT+I on both Chrome and Firebox will bring up dev panel where you can see which pages are not loading. Chrome will show an error, Firefox will show a red slash throught the lock icon.
- Noticed a list of domains in the Alexa top 1K that serve up ads, since I don't want this I added the following custom block list to my Ads DNS Group which will remove them from any DNS group that is using the Alexa top 1K filter. To confirm make sure "Enable Alexa Whitelist" is NOT checked for this DNS group.
popcash.net www.popcash.net cdn.popcash.net outbrain.com www.outbrain.com onclickads.net www.onclickads.net googleadservices.com www.googleadservices.com adcash.com www.adcash.com popads.net www.popads.net popmyads.com www.popmyads.com
- List of domains added to DNSBL Custom Domain Suppression to stop them from being blocked
goo.gl google.com www.google.com mail.google.com docs.google.com sites.google.com fonts.googleapis.com cache.google.com clients.google.com clients0.google.com clients1.google.com clients2.google.com clients3.google.com clients4.google.com clients5.google.com clients6.google.com clients7.google.com clients8.google.com clients9.google.com www.maxmind.com s3.amazonaws.com fls-na.amazon.com login.live.com redis.io pgl.yoyo.org someonewhocares.org www.thingamajob.com winhelp2002.mvps.org hosts-file.net www.hosts-file.net adaway.org sysctl.org adblock.gjtech.net www.dshield.org malwaredomainlist.com malwaredomains.com bambenekconsulting.com malwarepatrol.net zeustracker.abuse.ch malc0de.com curl.haxx.se dl.dropboxusercontent.com whois.cymru.com github.com collector-cdn.github.com pivotal.github.com cloud.github.com raw.githubusercontent.com raw.github.com stopforumspam.com www.stopforumspam.com sourceforge.net www.sourceforge.net iweb.dl.sourceforge.net chase.com www.chase.com mint.com www.mint.com americanexpress.com www.americanexpress.com online.americanexpress.com linuxquestions.org www.linuxquestions.org optimizely.com www.optimizely.com api.optimizely.com cdn.optimizely.com cdn2.optimizely.com cdn3.optimizely.com slashdot.org www.slashdot.org ebay.com www.ebay.com rover.ebay.com srx.main.ebayrtm.com openbl.org www.openbl.org www.us.openbl.org delta.com www.delta.com aa.com www.aa.com cruisesonly.com www.cruisesonly.com ripe.net www.ripe.net weather.com www.weather.com lacnic.net www.lacnic.net tvrage.com services.tvrage.com www.tvrage.com publicbt.com device.maxmind.com www.boingo.com xda-developers.com www.xda-developers.com forum.xda-developers.com opengapps.org download.mono-project.com
-
Ads DNS Group
-
Update Frequency: Once a Day
-
Enable Alexa Whitelist: NOT Enabled
-
Add Custom Block List noted above
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintextoup yoyo http://hosts-file.net/ad_servers.txt hphosts_ats https://adaway.org/hosts.txt adaway http://sysctl.org/cameleon/hosts syctrl http://adblock.gjtech.net/?format=unix-hosts gjtech
-
Privacy Fraud DNS Group
-
Update Frequency: Once a Day
-
Enable Alexa Whitelist: Enabled
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt disconnect_basic http://hosts-file.net/fsa.txt hphost_fsa http://hosts-file.net/hjk.txt hphost_hjk http://hosts-file.net/pha.txt hphost_psh https://www.dshield.org/feeds/suspiciousdomains_High.txt dshield_sdh
-
Malware Exploit DNS Group
-
Update Frequency: Once a Day
-
Enable Alexa Whitelist: Enabled
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt disconnect_malvertising http://www.malwaredomainlist.com/hostslist/hosts.txt malwaredomainlist http://mirror1.malwaredomains.com/files/justdomains malwaredomains https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt disconnect_malware http://hosts-file.net/emd.txt hphosts_emd http://hosts-file.net/exp.txt hphosts_exp http://hosts-file.net/mmt.txt hphosts_mmt https://lists.malwarepatrol.net/cgi/getfile?receipt=f1442112770&product=8&list=dansguardian malwarepatrol https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist zeustracker https://malc0de.com/bl/BOOT malc0de
-
SPAM DNS Group
-
Update Frequency: Once a Day
-
Enable Alexa Whitelist: Enabled
http://hosts-file.net/grm.txt hphost_grm http://hosts-file.net/hfs.txt hphost_hfs https://spam404bl.com/blacklist.txt spam_404
-
Malicious DNS Group
-
Update Frequency: Once a Day
-
Enable Alexa Whitelist: Enabled
http://hosts-file.net/hphosts-partial.txt hphost_partial http://winhelp2002.mvps.org/hosts.txt mvps_hosts http://someonewhocares.org/hosts/hosts SomeoneWhoCares https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw BBcan177
-
BambenekConsulting DNS Group
-
Update Frequency: Once a Day
-
Enable Alexa Whitelist: Enabled
http://osint.bambenekconsulting.com/feeds/dga-feed.gz bambenek_dga http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt bambenek_c2
Thanks
Tony M.** -
BBCan177,
Any problems running your list import script on PFB 2.0?This scripted worked without an issue for me.
-
Oops! I found ZeuS Tracker is shut down, I hope it is only temporary.
-
Can you elaborate? I have multi-wan and forwarding disabled and everything works.
If you enable forwarding mode then a foward-zone named "." is created as well as some forward-addr entries with the DNS servers you sepcified system->general setup.
Default behavior of unbound is to query the Root servers. But if you have a multi-WAN configuration and need to specifiy a different DNS server for each WAN(gateway) you need forwarding mode to be enabled. So yeah, works without forwarding mode for some multi-WAN configs that are fine with just the Root servers.Thank you.
-
I am receiving certificate invalid errors after enabling the DNSBL when navigating certain sites - so far the culprit seems to mainly be googleads.g.doubleclick.net when trying to serve content over an HTTPS enabled website.
The attempt still shows in the Alerts tab of pfBlockerNG, the main site still loads, but it seems to be wanting to use the firewall's self signed certificate as the certificate for the ad server host.
Did I miss a setting somewhere to prevent this from happening?
-
There's no such setting anywhere and no way to prevent this from happening really, except for whitelisting the domain.
-
To a certain extent, this isn't surprising. pfBlockerNG essentially has to Man-in-the-Midde HTTPS. If the ad is being loaded from an HTTPS server (I don't necessarily mean the page you're viewing, rather where the ad itself is coming from), then pfBlockerNG redirects you to its own little webserver running on your pfsense box, and, since is done over HTTPS, that webserver uses a generic, default certificate. It's a different cert than what is used for the pfsense WebGUI. For various reasons, pfBlockerNG uses the same certifcate for every blocked HTTPS resource. This creates a problem because the name in the certificate doesn't match the domain name of the blocked resource, which is why you see certificate warnings. There's no good way around this, though. Attempting to dynamically create valid certs off a CA running on the pfsense box would be both complicated and slow.
But, I'm a little surprised you're seeing warnings. I used to see warnings occasionally, but I haven't for a while. I thought browsers just started silently dropping HTTPS connections to external resources when there's a bad certificate.
Can you provide additional information to reproduce this? What browser are you using? What webpage were you accessing? If I can see an example, and maybe inspect a packet capture and page source code may be I can see what's going on.
-
What about setting your virtual address to 0.0.0.0? As that whole /8 is non-routable, you wouldn't get the cert error. It would just silently fail to load ads.
-
What about setting your virtual address to 0.0.0.0? As that whole /8 is non-routable, you wouldn't get the cert error. It would just silently fail to load ads.
While that might hide the cert error, there would be downsides. First, some some pages will hang as they wait for the ad server to respond. Second, blackholing the traffic completely by setting the VIP to something other than the DNSBL webserver will disable alerts. That would create problems, because the regular ad-blocking lists WILL break some sites and mobile apps. The alerts are, by far, the easiest way to track down problems.
There are better plausible workarounds, but we need to see some examples to understand under what circumstances people run into cert errors.
-
Sorry if this is stupid question. I am using OpenDNS and wondered if I can use DNSBL along with it? The only way I was able to get alert data was by changing the DNS settings on my PC.
Thanks.
-
Sorry if this is stupid question. I am using OpenDNS and wondered if I can use DNSBL along with it? The only way I was able to get alert data was by changing the DNS settings on my PC.
Not in this way. If you point your clients to pfSense as DNS server and use OpenDNS as forwarders for Unbound, then yes it should work.
-
I am receiving certificate invalid errors after enabling the DNSBL when navigating certain sites - so far the culprit seems to mainly be googleads.g.doubleclick.net when trying to serve content over an HTTPS enabled website.
The attempt still shows in the Alerts tab of pfBlockerNG, the main site still loads, but it seems to be wanting to use the firewall's self signed certificate as the certificate for the ad server host.
Did I miss a setting somewhere to prevent this from happening?
Ya ran into the same problem while beta testing, completely forgot about this issue until I read your post :) For a quick fix I created a CA and web certificate via pfsense GUI then copies this cert to /var/unbound/dnsbl_cert.pem which dnsbl light http will use. Then push out the CA to all the desktops, could be done via GPO or login scripts. With https://letsencrypt.org/ picking up traction, everything is going to be running over TLS or SSL soon going to have to implement this type of fix.
**EDIT: Sorry guys did a bad job on this post and what I was doing, it does not fix the underlying issue with the TLS stream being bad because the cert is not valid, reggie14 did a much better job testing this than I. In my setup is simply helped limit the errors in Chrome. Again just a quick fix that might help. Again sorry for the confusion.
FYI the update from Chrome 45 to 46 made a difference in what come up under security warnings:
http://arstechnica.com/information-technology/2015/10/chrome-finally-kills-off-the-http-https-mixed-content-warning/**Thanks
Tony M -
Getting this EasyList error for w/o elements.
[ DNSBL_EasyList - w/o Elements ] Download FAIL
Could not determine IP address of host.
Firewall and/or IDS are not blocking download. -
Getting this EasyList error for w/o elements.
[ DNSBL_EasyList - w/o Elements ] Download FAIL
Could not determine IP address of host.
Firewall and/or IDS are not blocking download.Well that's not a package error. You need working DNS. :D
$ host easylist-downloads.adblockplus.org easylist-downloads.adblockplus.org has address 148.251.139.76 easylist-downloads.adblockplus.org has address 144.76.100.145 easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:200:114f::2 easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:192:7126::2
-
Getting this EasyList error for w/o elements.
[ DNSBL_EasyList - w/o Elements ] Download FAIL
Could not determine IP address of host.
Firewall and/or IDS are not blocking download.Well that's not a package error. You need working DNS. :D
$ host easylist-downloads.adblockplus.org easylist-downloads.adblockplus.org has address 148.251.139.76 easylist-downloads.adblockplus.org has address 144.76.100.145 easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:200:114f::2 easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:192:7126::2
Filter out easylist-downloads.adblockplus.org via DNSBL as well as add it to an allow alias and see if this helps. Depending out how you having things setup could be blocking. Host lookup most likely works because it's doing is via unbound. Just a thought let us know :)
Tony M
-
I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.
I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?
-
I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.
I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?
dnsbl show as stopped is not a good sign, are you sure dnsbl check box is enabled as well as unbound (DNS Resolver)?
-
I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.
I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?
dnsbl show as stopped is not a good sign, are you sure dnsbl check box is enabled as well as unbound (DNS Resolver)?
Yes, both dnsbl and unbound check box's are checked. The funny thing is that it blocks the ad's when enabled, but doesn't seem to use the 1x1 gif and instead just times out the servers.
-
I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.
I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?
dnsbl show as stopped is not a good sign, are you sure dnsbl check box is enabled as well as unbound (DNS Resolver)?
Yes, both dnsbl and unbound check box's are checked. The funny thing is that it blocks the ad's when enabled, but doesn't seem to use the 1x1 gif and instead just times out the servers.
If the dnsbl web server is not running this is what I would expect, request will not have a response and will time out. Anything in /var/log/pfblockerng/dnsbl_error.log and dnsbl.log files?
-
The dnsbl_error.log seems normal, no errors or anything else like that. The dnsbl.log says "Log file is empty or does not exist." which I assume is because the service isn't started.