PfBlockerNG v2.0 w/DNSBL

tonymorella

Few things I found out while beta testing V2

• First rule is take your time and be patient. Adding to may rules at once will casue alot of blocks you may or may not way. Wildcards are not supported, or wanted in most cases. For example adding google.com does not filter all the hosts for the domain, need to add each host that is being blocked to the filter lists
• Make sure to double check ASN's, especially for large companies that have acquired other companies, more than one ASN might exist
  *** Unbound has an issue in my setup using OpenVPN connected to PIA. It does not start correctly when a network issue is sensed,  em1 or openvpn interfaces flap for example. The core problem seems to be how the rc scripts handle unbound reload.  They do a HUP vs reload to get around the cache being lost. Disabling "DHCP Registration" or "Static DHCP" was a workaround that allowed unbound to start correctly.
• Checking "DHCP Registration" or "Static DHCP" causes other issues with unbound, this is a know issue being talked about in the DNS forum.  I added all my hosts host to unbound statically as a work around
• I wanted to have my allow rules > pfb block rules > my block rules > my per interface rules.  Did this by enabling "Floating Rules" and using "pfb_pass/match  | pfsense pass/match |  pfb_block/reject"
• If you have WIFI make sure to enable "DNSBL Firewall Rule" and select both LAN and WIFI or the NAT: Port Forward rule for 10.10.10.1 is not setup correctly.  If you don't change this setting things still work but everything runs slow over wifi.
• Make sure to whitelist all the DNSBL sites FQDN via an allow aliases, some IPv4 block-lists include the IP space the DNSBL are found in
• DBSBL is basicly a man in the middle for DNS so any site that is block but running https will create warrnings. Depending on how the brower is setup it might just ignore or not display the error.  CTRL+SHIFT+I on both Chrome and Firebox will bring up dev panel where you can see which pages are not loading. Chrome will show an error, Firefox will show a red slash throught the lock icon.
• Noticed a list of domains in the Alexa top 1K that serve up ads, since I don't want this I added the following custom block list to my Ads DNS Group which will remove them from any DNS group that is using the Alexa top 1K filter. To confirm make sure "Enable Alexa Whitelist" is NOT checked for this DNS group.

popcash.net
www.popcash.net
cdn.popcash.net
outbrain.com
www.outbrain.com
onclickads.net
www.onclickads.net
googleadservices.com
www.googleadservices.com
adcash.com
www.adcash.com
popads.net
www.popads.net
popmyads.com
www.popmyads.com

• List of domains added to DNSBL Custom Domain Suppression to stop them from being blocked

goo.gl
google.com
www.google.com
mail.google.com
docs.google.com
sites.google.com
fonts.googleapis.com
cache.google.com
clients.google.com
clients0.google.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
clients7.google.com
clients8.google.com
clients9.google.com
www.maxmind.com
s3.amazonaws.com
fls-na.amazon.com
login.live.com
redis.io
pgl.yoyo.org
someonewhocares.org
www.thingamajob.com
winhelp2002.mvps.org
hosts-file.net
www.hosts-file.net
adaway.org
sysctl.org
adblock.gjtech.net
www.dshield.org
malwaredomainlist.com
malwaredomains.com
bambenekconsulting.com
malwarepatrol.net
zeustracker.abuse.ch
malc0de.com
curl.haxx.se
dl.dropboxusercontent.com
whois.cymru.com
github.com
collector-cdn.github.com
pivotal.github.com
cloud.github.com
raw.githubusercontent.com
raw.github.com
stopforumspam.com
www.stopforumspam.com
sourceforge.net
www.sourceforge.net
iweb.dl.sourceforge.net
chase.com
www.chase.com
mint.com
www.mint.com
americanexpress.com
www.americanexpress.com
online.americanexpress.com
linuxquestions.org
www.linuxquestions.org
optimizely.com
www.optimizely.com
api.optimizely.com
cdn.optimizely.com
cdn2.optimizely.com
cdn3.optimizely.com
slashdot.org
www.slashdot.org
ebay.com
www.ebay.com
rover.ebay.com
srx.main.ebayrtm.com
openbl.org
www.openbl.org
www.us.openbl.org
delta.com
www.delta.com
aa.com
www.aa.com
cruisesonly.com
www.cruisesonly.com
ripe.net
www.ripe.net
weather.com
www.weather.com
lacnic.net
www.lacnic.net
tvrage.com
services.tvrage.com
www.tvrage.com
publicbt.com
device.maxmind.com
www.boingo.com
xda-developers.com
www.xda-developers.com
forum.xda-developers.com
opengapps.org
download.mono-project.com

• Ads DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: NOT Enabled

• Add Custom Block List noted above

http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintextoup	yoyo
http://hosts-file.net/ad_servers.txt							hphosts_ats
https://adaway.org/hosts.txt								adaway
http://sysctl.org/cameleon/hosts							syctrl
http://adblock.gjtech.net/?format=unix-hosts						gjtech

• Privacy Fraud DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt			disconnect_basic
http://hosts-file.net/fsa.txt								hphost_fsa
http://hosts-file.net/hjk.txt								hphost_hjk
http://hosts-file.net/pha.txt								hphost_psh
https://www.dshield.org/feeds/suspiciousdomains_High.txt				dshield_sdh

• Malware Exploit DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt			disconnect_malvertising
http://www.malwaredomainlist.com/hostslist/hosts.txt					malwaredomainlist
http://mirror1.malwaredomains.com/files/justdomains					malwaredomains			
https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt				disconnect_malware
http://hosts-file.net/emd.txt								hphosts_emd
http://hosts-file.net/exp.txt								hphosts_exp
http://hosts-file.net/mmt.txt								hphosts_mmt
https://lists.malwarepatrol.net/cgi/getfile?receipt=f1442112770&product=8&list=dansguardian malwarepatrol
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist			zeustracker
https://malc0de.com/bl/BOOT								malc0de

• SPAM DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

http://hosts-file.net/grm.txt								hphost_grm
http://hosts-file.net/hfs.txt								hphost_hfs
https://spam404bl.com/blacklist.txt							spam_404

• Malicious DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

http://hosts-file.net/hphosts-partial.txt						hphost_partial
http://winhelp2002.mvps.org/hosts.txt							mvps_hosts
http://someonewhocares.org/hosts/hosts							SomeoneWhoCares
https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw			BBcan177

• BambenekConsulting DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

http://osint.bambenekconsulting.com/feeds/dga-feed.gz					bambenek_dga
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt				bambenek_c2

Thanks
Tony M.**

tonymorella

@vito:

BBCan177,
Any problems running your list import script on PFB 2.0?

This scripted worked without an issue for me.

ntct

Oops! I found ZeuS Tracker is shut down, I hope it is only temporary.

Hugovsky

@fraglord:

Can you elaborate? I have multi-wan and forwarding disabled and everything works.

If you enable forwarding mode then a foward-zone named "." is created as well as some forward-addr entries with the DNS servers you sepcified system->general setup.
Default behavior of unbound is to query the Root servers. But if you have a multi-WAN configuration and need to specifiy a different DNS server for each WAN(gateway) you need forwarding mode to be enabled. So yeah, works without forwarding mode for some multi-WAN configs that are fine with just the Root servers.

Thank you.

A Former User

I am receiving certificate invalid errors after enabling the DNSBL when navigating certain sites - so far the culprit seems to mainly be googleads.g.doubleclick.net when trying to serve content over an HTTPS enabled website.

The attempt still shows in the Alerts tab of pfBlockerNG, the main site still loads, but it seems to be wanting to use the firewall's self signed certificate as the certificate for the ad server host.

Did I miss a setting somewhere to prevent this from happening?

doktornotor

There's no such setting anywhere and no way to prevent this from happening really, except for whitelisting the domain.

reggie14

@Atlan

To a certain extent, this isn't surprising.  pfBlockerNG essentially has to Man-in-the-Midde HTTPS.  If the ad is being loaded from an HTTPS server (I don't necessarily mean the page you're viewing, rather where the ad itself is coming from), then pfBlockerNG redirects you to its own little webserver running on your pfsense box, and, since is done over HTTPS, that webserver uses a generic, default certificate.  It's a different cert than what is used for the pfsense WebGUI.  For various reasons, pfBlockerNG uses the same certifcate for every blocked HTTPS resource.  This creates a problem because the name in the certificate doesn't match the domain name of the blocked resource, which is why you see certificate warnings.  There's no good way around this, though.  Attempting to dynamically create valid certs off a CA running on the pfsense box would be both complicated and slow.

But, I'm a little surprised you're seeing warnings.  I used to see warnings occasionally, but I haven't for a while.  I thought browsers just started silently dropping HTTPS connections to external resources when there's a bad certificate.

Can you provide additional information to reproduce this?  What browser are you using?  What webpage were you accessing?  If I can see an example, and maybe inspect a packet capture and page source code may be I can see what's going on.

MBwork

What about setting your virtual address to 0.0.0.0? As that whole /8 is non-routable, you wouldn't get the cert error. It would just silently fail to load ads.

reggie14

@mbarnes:

What about setting your virtual address to 0.0.0.0? As that whole /8 is non-routable, you wouldn't get the cert error. It would just silently fail to load ads.

While that might hide the cert error, there would be downsides.  First, some some pages will hang as they wait for the ad server to respond.  Second, blackholing the traffic completely by setting the VIP to something other than the DNSBL webserver will disable alerts.  That would create problems, because the regular ad-blocking lists WILL break some sites and mobile apps.  The alerts are, by far, the easiest way to track down problems.

There are better plausible workarounds, but we need to see some examples to understand under what circumstances people run into cert errors.

BIGGRIMTIM

Sorry if this is stupid question.  I am using OpenDNS and wondered if I can use DNSBL along with it?  The only way I was able to get alert data was by changing the DNS settings on my PC.

Thanks.

doktornotor

@BIGGRIMTIM:

Sorry if this is stupid question.  I am using OpenDNS and wondered if I can use DNSBL along with it?  The only way I was able to get alert data was by changing the DNS settings on my PC.

Not in this way. If you point your clients to pfSense as DNS server and use OpenDNS as forwarders for Unbound, then yes it should work.

tonymorella

@Atlan:

I am receiving certificate invalid errors after enabling the DNSBL when navigating certain sites - so far the culprit seems to mainly be googleads.g.doubleclick.net when trying to serve content over an HTTPS enabled website.

The attempt still shows in the Alerts tab of pfBlockerNG, the main site still loads, but it seems to be wanting to use the firewall's self signed certificate as the certificate for the ad server host.

Did I miss a setting somewhere to prevent this from happening?

Ya ran into the same problem while beta testing, completely forgot about this issue until I read your post :) For a quick fix I created a CA and web certificate via pfsense GUI then copies this cert to /var/unbound/dnsbl_cert.pem which dnsbl light http will use.  Then push out the CA to all the desktops, could be done via GPO or login scripts. With https://letsencrypt.org/ picking up traction, everything is going to be running over TLS or SSL soon going to have to implement this type of fix.

**EDIT: Sorry guys did a bad job on this post and what I was doing, it does not fix the underlying issue with the TLS stream being bad because the cert is not valid, reggie14 did a much better job testing this than I. In my setup is simply helped limit the errors in Chrome. Again just a quick fix that might help. Again sorry for the confusion.

FYI the update from Chrome 45 to 46 made a difference in what come up under security warnings:
http://arstechnica.com/information-technology/2015/10/chrome-finally-kills-off-the-http-https-mixed-content-warning/**

Thanks
Tony M

asterix

Getting this EasyList error for w/o elements.

[ DNSBL_EasyList - w/o Elements ] Download FAIL
  Could not determine IP address of host.
  Firewall and/or IDS are not blocking download.

doktornotor

@Asterix:

Getting this EasyList error for w/o elements.

[ DNSBL_EasyList - w/o Elements ] Download FAIL
  Could not determine IP address of host.
  Firewall and/or IDS are not blocking download.

Well that's not a package error. You need working DNS. :D

$ host easylist-downloads.adblockplus.org
easylist-downloads.adblockplus.org has address 148.251.139.76
easylist-downloads.adblockplus.org has address 144.76.100.145
easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:200:114f::2
easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:192:7126::2

tonymorella

@doktornotor:

@Asterix:

Getting this EasyList error for w/o elements.

[ DNSBL_EasyList - w/o Elements ] Download FAIL
  Could not determine IP address of host.
  Firewall and/or IDS are not blocking download.

Well that's not a package error. You need working DNS. :D

$ host easylist-downloads.adblockplus.org
easylist-downloads.adblockplus.org has address 148.251.139.76
easylist-downloads.adblockplus.org has address 144.76.100.145
easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:200:114f::2
easylist-downloads.adblockplus.org has IPv6 address 2a01:4f8:192:7126::2

Filter out easylist-downloads.adblockplus.org via DNSBL as well as add it to an allow alias and see if this helps. Depending out how you having things setup could be blocking.  Host lookup most likely works because it's doing is via unbound. Just a thought let us know :)

Tony M

shopro

I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.

I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?

tonymorella

@shopro:

I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.

I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?

dnsbl show as stopped is not a good sign, are you sure dnsbl check box is enabled as well as unbound (DNS Resolver)?

shopro

@tonymorella:

@shopro:

I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.

I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?

dnsbl show as stopped is not a good sign, are you sure dnsbl check box is enabled as well as unbound (DNS Resolver)?

Yes, both dnsbl and unbound check box's are checked. The funny thing is that it blocks the ad's when enabled, but doesn't seem to use the 1x1 gif and instead just times out the servers.

tonymorella

@shopro:

@tonymorella:

@shopro:

I must be doing something wrong as when I load a page containing ads the page load stops until ad servers are timed out. Also in Status -> Services, dnsbl is showed as stopped. Can't seem to find any error logs about it anywhere. Also my alerts tab is empty besides the Deny list.

I configured dnsbl as instructed on page 1 and have double checked everything to be the same way. Though maybe the reason is that my clients use my domain controller as their dns which forwards to pfsense which in turn forwards to OpenDNS. Any ideas where I went wrong?

dnsbl show as stopped is not a good sign, are you sure dnsbl check box is enabled as well as unbound (DNS Resolver)?

Yes, both dnsbl and unbound check box's are checked. The funny thing is that it blocks the ad's when enabled, but doesn't seem to use the 1x1 gif and instead just times out the servers.

If the dnsbl web server is not running this is what I would expect, request will not have a response and will time out.  Anything in /var/log/pfblockerng/dnsbl_error.log and dnsbl.log files?

shopro

The dnsbl_error.log seems normal, no errors or anything else like that. The dnsbl.log says "Log file is empty or does not exist." which I assume is because the service isn't started.