PfBlockerNG v2.0 w/DNSBL
-
i also found this in the pfblockerng.log
... ... [ DNSBL_IP ] Updating aliastable ------------------------------------------ no changes. Total IP count = 37 ------------------------------------------ ------------------------------------------ Assembling database... completed Validating database... completed [ 06/06/16 17:00:03 ] Reloading Unbound ...error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: Not completed. DNSBL update [ 70081 ]... completed ------------------------------------------ ... ...the weird thing to me is that i see the alerts in the alerts tab, but the ads still show up on my screen.
if i need to post more info, let me know.
-
i also found this in the pfblockerng.log
... ... [ DNSBL_IP ] Updating aliastable ------------------------------------------ no changes. Total IP count = 37 ------------------------------------------ ------------------------------------------ Assembling database... completed Validating database... completed [ 06/06/16 17:00:03 ] Reloading Unbound ...error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: error: SSL handshake failed 34386119176:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/builder/pfsense-231/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1185: Not completed. DNSBL update [ 70081 ]... completed ------------------------------------------ ... ...the weird thing to me is that i see the alerts in the alerts tab, but the ads still show up on my screen.
if i need to post more info, let me know.
Hi XmickS,
If you are using the Resolver in "Forwarder" mode, make sure that the DNS servers you are using support DNSSEC… This looks like a Resolver settings issue to me...
-
It can be done just as Dok said above:
Point your LAN devices to pfSense Resolver/DNSBL, and then set the Resolver into "Forwarding mode" to the opendns servers… But keep in mind that opendns doesn't support DNSSEC, so disable those options...
Stupid me, that was easy (one check mark and one off). But when using the "Forwarding mode" am I not losing DNSBL and so a lot off "power" of your adblocker? In your professional opinion am I now penny wise and pond foolish?
DNSBL has nothing to do with either "Forwarder" or "Resolver" mode in Unbound… Its a preference... But best to use "Resolver" mode as you are using the Root DNS Servers for the DNS requests...
Here is a good primer about the DNS Resolver (Unbound) https://calomel.org/unbound_dns.html
-
Hi XmickS,
If you are using the Resolver in "Forwarder" mode, make sure that the DNS servers you are using support DNSSEC… This looks like a Resolver settings issue to me...
Hi BBcan177,
I had unbound in forwarder mode. When I go to a domain which is in one of the dnsbl feeds I get the 1x1 message so that tells me that there is something being blocked. when i open, for example yahoo.com, I can see al the boxes where the adds come in just not the contens of them. I'm not sure if on my previous pfsense box the whole ad was being blocked, like my adblocker does.
Is pfblocker capable of blocking this whole add thing or is it someting I didn't remember correctly?
Thanks for the help!
-
when i open, for example yahoo.com, I can see al the boxes where the adds come in just not the contens of them. I'm not sure if on my previous pfsense box the whole ad was being blocked, like my adblocker does.
Yahoo, is doing something dirty with ADs on that page… Its actually an Image… So it can't be blocked by DNSBL since, its not doing a DNS resolution to an AD server... Right-Click on the AD then click "Inspect" ... You will see that its actually an Image.... I haven't seen this elsewhere except for Yahoo...
Some info about Browser Add-ons:
https://twitter.com/x0rz/status/739807696568918016 -
Yahoo, is doing something dirty with ADs on that page… Its actually an Image… So it can't be blocked by DNSBL since, its not doing a DNS resolution to an AD server... Right-Click on the AD then click "Inspect" ... You will see that its actually an Image.... I haven't seen this elsewhere except for Yahoo...
Some info about Browser Add-ons:
https://twitter.com/x0rz/status/739807696568918016allright… I think I see the same thing on aol.com. They just find another way to serve you ads. But with an adblocker on my browser and dnsbl blocking ads on mobile devices, I haven't seen them yet. So thats a good thing! Gonna donate right now. Thanks for making browsing a lot cleaner! ;D
Just one thing I can't get done. Thats blocking those annoying ads on youtube. Is that possible with dnsbl? I use the easylists Cameleon, adaway yoyo and hostfile. I haven't configured ip blocklists yet.
-
Does pfblockerNG2.0.4 need the localhost (127.0.0.1). As in the general setup of pfsense there is the "Disable DNS Forwarder" option! checking it and so disabling it removes 127.0.0.1 from the ISP DNS servers on the WAN in the Status -> Interfaces
(Do not use the DNS Forwarder as a DNS server for the firewall By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.)
-
Does pfblockerNG2.0.4 need the localhost (127.0.0.1). As in the general setup of pfsense there is the "Disable DNS Forwarder" option! checking it and so disabling it removes 127.0.0.1 from the ISP DNS servers on the WAN in the Status -> Interfaces
(Do not use the DNS Forwarder as a DNS server for the firewall By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.)
If you are using the Resolver in "Resolver mode"… then best to leave that option unchecked... This way, all requests goto the localhost for DNS resolution.
-
Yahoo, is doing something dirty with ADs on that page… Its actually an Image… So it can't be blocked by DNSBL since, its not doing a DNS resolution to an AD server... Right-Click on the AD then click "Inspect" ... You will see that its actually an Image.... I haven't seen this elsewhere except for Yahoo...
Some info about Browser Add-ons:
https://twitter.com/x0rz/status/739807696568918016allright… I think I see the same thing on aol.com. They just find another way to serve you ads. But with an adblocker on my browser and dnsbl blocking ads on mobile devices, I haven't seen them yet. So thats a good thing! Gonna donate right now. Thanks for making browsing a lot cleaner! ;D
Just one thing I can't get done. Thats blocking those annoying ads on youtube. Is that possible with dnsbl? I use the easylists Cameleon, adaway yoyo and hostfile. I haven't configured ip blocklists yet.
Yahoo! in another recent Malvertising campaign…
https://blog.malwarebytes.org/cybercrime/exploits/2016/06/neutrino-exploit-kit-fills-in-for-angler-ek-in-recent-malvertising-campaigns/
-
Just one thing I can't get done. Thats blocking those annoying ads on youtube. Is that possible with dnsbl? I use the easylists Cameleon, adaway yoyo and hostfile. I haven't configured ip blocklists yet.
same here. haven't found a way yet.
does somebody tried the blocking lists from example adblock plus addon for firefox/chrome?
would that work? -
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt -
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txtSo DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
-
So DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txtThank you ;)
-
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
Thank you for the reply and that is great. I just added https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt to my DNSBL.
One other question, I missed the pfBlockerng hangout but I did watch it afterwards. In it, I believe you said that you would post your recommended blocklists. Is there such a CURRENT compilation on the forum? I have been hunting them down for over a month now and cannot seem to find a "one list of lists to rule them all." I am currently using the ones from jflsakfja's posts but those posts are over a year old I think and I never did find his complete list of lists. I think he posted that he was going to include them in his suricata guide - which does not appears as though it will be completed.
-
So DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
Thanks for clearing up, I wasn't aware of that either and just skipped the URL blocklists 8)
@khanman, thanks for the hint about pfBlockerNG hangout! Going to watch in a minute!
-
Hi BBcan177, first of all I'm a big fan of you awesome pfsense package, great work! I'm using your plugin for a couple of weeks now but I noticed some strange behaviour with DNSBL. Some fqdn's get blocked sometimes even if they are added to the global whitelist, this is not always the case. The only way to fix this was to completely set the List Action box to disabled to get things working again. After switching it back to unbound it didn't get blocked. In this particulair case it's analytics.twitter.com
The block is added to the alert log, even at this point it says it's already added to the whitelist. Why does it block this fqdn?
-
Is there such a CURRENT compilation on the forum?
This post has instructions on how to get a script that I wrote a year ago…. There are some changes to that list since, but its a start.
https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973
I will try to make a new script at some point....
