Exception for DNSBL Rule

Nic12

Hi,

I'm using PfSense  2.3.3-RELEASE-p1 with pfBlockerNG 2.1.1_7.

I'm trying to configure an exception for a DSNBL Rule and I got some problems…

I configured a DNSBL Feed with a hosts list (http://www.malwaredomainlist.com/hostslist/hosts.txt) with a rule : Deny outbound
Clients couldn't reach the host names : everything work fine.

But I tried to configure an exception : one host in lan should reach these domains.
I configured an alias in "Advanced Outbound Firewall Rule Settings - Custom source" with parameters "Enable - Invert" : but the host name couldn't be reached.

I configured the same manner a GeoIp rule, and it functions as expected : only the "custom source" can reach the country.

Could someone tell me if I missed something ?
Thanks

someuser123

go to pfBlockerNG > DNSBL > DNSBL Whitelist
add the domain you want to access or whitelist, click save.
then goto update tab, and run - force reload

the newly added domain should be accessible

Nic12

Thanks for you answer.
That's not what I want to do.
I want to build a domain blacklist for all computers in my LAN, except one host.
The blacklist functions, but not the exception for one host.

I did that sucessfully for geoIP with the function : "Advanced Outbound Firewall Rule Settings - Custom source"
In DNSBL, this same function doesn't seem to have any effect (in my configuration)

doktornotor

This just doesn't make any sense whatsoever. Using the list in DNSBL will make it resolve to the virtual IP configured in pfBNG. Has nothing to do with firewall rules, and cannot be bypassed by any firewall rules.

RonpfS

@Nic12:

I want to build a domain blacklist for all computers in my LAN, except one host.

Configure that host to use a different DNS server than the one from pfsense+DNSBL

Nic12

Ok, it seems that I misunderstood some basic principles of pfBlockerNG.
"Advanced Outbound Firewall Rule Settings" and "Floating rules" misled me.
Sorry for the newbie questions… ???

Each clients on my LAN are configured to talk with the PfSense DNS Resolver.
Is there a way that one client use the default DSN Resolver and not the DNSBL Virtual IP ?
As soon as DNSBL is configured, is the "old" DNS Resolver totally overridden ?

Otherway, I have to use a different DNS Server...

doktornotor

@Nic12:

Ok, it seems that I misunderstood some basic principles of pfBlockerNG.
"Advanced Outbound Firewall Rule Settings" and "Floating rules" misled me.
Sorry for the newbie questions… ???

Please, read the description there:

Configure settings for Firewall Rules when any DNSBL Feed contain IP Addresses