DNSBL Weirdness



  • I enabled pfsenseng
    I enabled dnsbl

    Doing so automatically added server:include: /var/unbound/pfb_dnsbl.conf to my custom section of dns resolver.

    Thing is, when I check that file out with nano over ssh, the file is empty. I'm also not getting any alerts of anything being blocked.

    I tried deleting the file, and running a force update and force reload, and it regenerated the file, again, empty.

    Ideas?



  • Look at pfBlockerNG logs to see what's happening.


  • Moderator

    Did you enable any DNSBL feeds and/or EasyLists?



  • I thought there was a default dnsbl feed… Is this not the case?

    Unfortunately, I can't just block easylist or easyprivacy, and be done with it.
    I work for a public library, and we need to not censor content, but I'd like to block malware domains.

    Any suggestions?


  • Moderator

    There are no default feeds. You have to add the feeds that suit your needs.

    Here are some IPv4 feeds of malicious IPs. Can't guarantee if there are false positives, but they are the more professional lists available:

    CSV format:
    Type,Alias Name,Site URL,Header name, Feed URL

    ipv4,PRI1,"Abuse Dyre Blacklist","https://sslbl.abuse.ch/","Abuse_DYRE","https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.csv"
    ipv4,PRI1,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_IPBL","https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt"
    ipv4,PRI1,"Abuse SSL Blacklist","https://sslbl.abuse.ch/","Abuse_SSLBL","https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv"
    ipv4,PRI1,"Abuse Zeus Tracker","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=badips"
    ipv4,PRI1,"Bambenek Consulting","https://www.bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt"
    ipv4,PRI1,"CINSscore","http://cinsscore.com/","CINS","http://cinsscore.com/list/ci-badguys.txt"
    ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Block","https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
    ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Comp","https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
    ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_1000","https://isc.sans.edu/api/sources/attacks/1000/"
    ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_Block","https://isc.sans.edu/block.txt"
    ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_Drop","https://www.spamhaus.org/drop/drop.txt"
    ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_eDrop","https://www.spamhaus.org/drop/edrop.txt"
    ipv4,PRI1,"Talos-Snort","http://www.talosintelligence.com/","Talos_BL","http://talosintel.com/feeds/ip-filter.blf"
    

    For DNSBL, here are some of the better feeds:

    dnsbl,Malicious,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_DOMBL","https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt"
    dnsbl,Malicious,"Abuse Zeus","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist"
    dnsbl,Malicious,"Bambenek Consulting","https://bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt"
    dnsbl,Malicious,"dShield","https://www.dshield.org","dShield_SDH","https://www.dshield.org/feeds/suspiciousdomains_High.txt"
    dnsbl,Malicious,"Malc0de","https://malc0de.com","Malc0de","https://malc0de.com/bl/BOOT"
    dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS","https://mirror1.malwaredomains.com/files/justdomains"
    dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS_Immortal","http://mirror1.malwaredomains.com/files/immortal_domains.txt"
    dnsbl,Malicious,"Malware Domain List","https://www.malwaredomainlist.com/","MDL","https://www.malwaredomainlist.com/hostslist/hosts.txt"
    dnsbl,Malicious,"MVPS Hosts","http://winhelp2002.mvps.org/","MVPS","http://winhelp2002.mvps.org/hosts.txt"‎
    

    I suggest reviewing the main site URL and then decide which feeds are appropriate for your needs.

    Hope that helps!



  • This is very helpful actually.

    Thank you.



  • @BBcan177:

    There are no default feeds. You have to add the feeds that suit your needs.

    Here are some IPv4 feeds of malicious IPs. Can't guarantee if there are false positives, but they are the more professional lists available:

    CSV format:
    Type,Alias Name,Site URL,Header name, Feed URL

    ipv4,PRI1,"Abuse Dyre Blacklist","https://sslbl.abuse.ch/","Abuse_DYRE","https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.csv"
    ipv4,PRI1,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_IPBL","https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt"
    ipv4,PRI1,"Abuse SSL Blacklist","https://sslbl.abuse.ch/","Abuse_SSLBL","https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv"
    ipv4,PRI1,"Abuse Zeus Tracker","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=badips"
    ipv4,PRI1,"Bambenek Consulting","https://www.bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt"
    ipv4,PRI1,"CINSscore","http://cinsscore.com/","CINS","http://cinsscore.com/list/ci-badguys.txt"
    ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Block","https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
    ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Comp","https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
    ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_1000","https://isc.sans.edu/api/sources/attacks/1000/"
    ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_Block","https://isc.sans.edu/block.txt"
    ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_Drop","https://www.spamhaus.org/drop/drop.txt"
    ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_eDrop","https://www.spamhaus.org/drop/edrop.txt"
    ipv4,PRI1,"Talos-Snort","http://www.talosintelligence.com/","Talos_BL","http://talosintel.com/feeds/ip-filter.blf"
    

    For DNSBL, here are some of the better feeds:

    dnsbl,Malicious,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_DOMBL","https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt"
    dnsbl,Malicious,"Abuse Zeus","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist"
    dnsbl,Malicious,"Bambenek Consulting","https://bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt"
    dnsbl,Malicious,"dShield","https://www.dshield.org","dShield_SDH","https://www.dshield.org/feeds/suspiciousdomains_High.txt"
    dnsbl,Malicious,"Malc0de","https://malc0de.com","Malc0de","https://malc0de.com/bl/BOOT"
    dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS","https://mirror1.malwaredomains.com/files/justdomains"
    dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS_Immortal","http://mirror1.malwaredomains.com/files/immortal_domains.txt"
    dnsbl,Malicious,"Malware Domain List","https://www.malwaredomainlist.com/","MDL","https://www.malwaredomainlist.com/hostslist/hosts.txt"
    dnsbl,Malicious,"MVPS Hosts","http://winhelp2002.mvps.org/","MVPS","http://winhelp2002.mvps.org/hosts.txt"‎
    

    I suggest reviewing the main site URL and then decide which feeds are appropriate for your needs.

    Hope that helps!

    Of those lists, I'm struggling to find information about:
    https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
    https://malc0de.com/bl/BOOT

    http://winhelp2002.mvps.org/hosts.txt seems to be mostly about blocking advertisers, which isn't my goal. I do have local adblockers on our machines, but would like people to have the option to turn it off.

    The rest of the list seems fantastic

    Thanks for the recommendations


  • Moderator

    @moscato359:

    Of those lists, I'm struggling to find information about:
    https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

    Check out the following link for BBC:
        http://osint.bambenekconsulting.com/manual/c2-ipmasterlist.txt



  • Hola BBcan!

    Quick q: How can I export all my blacklists (both DNSBL and IP) to CSV and reimport them if I evere have to wipe the config or do it from scratch?

    Thanks!


  • Moderator

    The pkg doesn't have that option. You could create another pfSense Box and use the XMLRPC Sync tab to copy the settings.

    The next version of the pkg will have a Feed Management Tab that will have auto-import capabilities…