DNSBL Weirdness

moscato359

I enabled pfsenseng
I enabled dnsbl

Doing so automatically added server:include: /var/unbound/pfb_dnsbl.conf to my custom section of dns resolver.

Thing is, when I check that file out with nano over ssh, the file is empty. I'm also not getting any alerts of anything being blocked.

I tried deleting the file, and running a force update and force reload, and it regenerated the file, again, empty.

Ideas?

RonpfS

Look at pfBlockerNG logs to see what's happening.

BBcan177

Did you enable any DNSBL feeds and/or EasyLists?

moscato359

I thought there was a default dnsbl feed… Is this not the case?

Unfortunately, I can't just block easylist or easyprivacy, and be done with it.
I work for a public library, and we need to not censor content, but I'd like to block malware domains.

Any suggestions?

BBcan177

There are no default feeds. You have to add the feeds that suit your needs.

Here are some IPv4 feeds of malicious IPs. Can't guarantee if there are false positives, but they are the more professional lists available:

CSV format:
Type,Alias Name,Site URL,Header name, Feed URL

ipv4,PRI1,"Abuse Dyre Blacklist","https://sslbl.abuse.ch/","Abuse_DYRE","https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.csv"
ipv4,PRI1,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_IPBL","https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt"
ipv4,PRI1,"Abuse SSL Blacklist","https://sslbl.abuse.ch/","Abuse_SSLBL","https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv"
ipv4,PRI1,"Abuse Zeus Tracker","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=badips"
ipv4,PRI1,"Bambenek Consulting","https://www.bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt"
ipv4,PRI1,"CINSscore","http://cinsscore.com/","CINS","http://cinsscore.com/list/ci-badguys.txt"
ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Block","https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Comp","https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_1000","https://isc.sans.edu/api/sources/attacks/1000/"
ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_Block","https://isc.sans.edu/block.txt"
ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_Drop","https://www.spamhaus.org/drop/drop.txt"
ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_eDrop","https://www.spamhaus.org/drop/edrop.txt"
ipv4,PRI1,"Talos-Snort","http://www.talosintelligence.com/","Talos_BL","http://talosintel.com/feeds/ip-filter.blf"

For DNSBL, here are some of the better feeds:

dnsbl,Malicious,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_DOMBL","https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt"
dnsbl,Malicious,"Abuse Zeus","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist"
dnsbl,Malicious,"Bambenek Consulting","https://bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt"
dnsbl,Malicious,"dShield","https://www.dshield.org","dShield_SDH","https://www.dshield.org/feeds/suspiciousdomains_High.txt"
dnsbl,Malicious,"Malc0de","https://malc0de.com","Malc0de","https://malc0de.com/bl/BOOT"
dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS","https://mirror1.malwaredomains.com/files/justdomains"
dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS_Immortal","http://mirror1.malwaredomains.com/files/immortal_domains.txt"
dnsbl,Malicious,"Malware Domain List","https://www.malwaredomainlist.com/","MDL","https://www.malwaredomainlist.com/hostslist/hosts.txt"
dnsbl,Malicious,"MVPS Hosts","http://winhelp2002.mvps.org/","MVPS","http://winhelp2002.mvps.org/hosts.txt"‎

I suggest reviewing the main site URL and then decide which feeds are appropriate for your needs.

Hope that helps!

moscato359

This is very helpful actually.

Thank you.

moscato359

@BBcan177:

There are no default feeds. You have to add the feeds that suit your needs.

Here are some IPv4 feeds of malicious IPs. Can't guarantee if there are false positives, but they are the more professional lists available:

CSV format:
Type,Alias Name,Site URL,Header name, Feed URL

ipv4,PRI1,"Abuse Dyre Blacklist","https://sslbl.abuse.ch/","Abuse_DYRE","https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.csv"
ipv4,PRI1,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_IPBL","https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt"
ipv4,PRI1,"Abuse SSL Blacklist","https://sslbl.abuse.ch/","Abuse_SSLBL","https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv"
ipv4,PRI1,"Abuse Zeus Tracker","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=badips"
ipv4,PRI1,"Bambenek Consulting","https://www.bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt"
ipv4,PRI1,"CINSscore","http://cinsscore.com/","CINS","http://cinsscore.com/list/ci-badguys.txt"
ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Block","https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
ipv4,PRI1,"Emerging Threats","https://www.proofpoint.com/us/products/et-intelligence","ET_Comp","https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_1000","https://isc.sans.edu/api/sources/attacks/1000/"
ipv4,PRI1,"Internet Storm Center","https://isc.sans.edu/","ISC_Block","https://isc.sans.edu/block.txt"
ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_Drop","https://www.spamhaus.org/drop/drop.txt"
ipv4,PRI1,"Spamhaus","https://www.spamhaus.org/","Spamhaus_eDrop","https://www.spamhaus.org/drop/edrop.txt"
ipv4,PRI1,"Talos-Snort","http://www.talosintelligence.com/","Talos_BL","http://talosintel.com/feeds/ip-filter.blf"

For DNSBL, here are some of the better feeds:

dnsbl,Malicious,"Abuse Ransomware Tracker","https://ransomwaretracker.abuse.ch/","Abuse_DOMBL","https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt"
dnsbl,Malicious,"Abuse Zeus","https://zeustracker.abuse.ch/","Abuse_Zeus","https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist"
dnsbl,Malicious,"Bambenek Consulting","https://bambenekconsulting.com/","BBC_C2","https://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt"
dnsbl,Malicious,"dShield","https://www.dshield.org","dShield_SDH","https://www.dshield.org/feeds/suspiciousdomains_High.txt"
dnsbl,Malicious,"Malc0de","https://malc0de.com","Malc0de","https://malc0de.com/bl/BOOT"
dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS","https://mirror1.malwaredomains.com/files/justdomains"
dnsbl,Malicious,"Malware Domains","https://www.malwaredomains.com/","MDS_Immortal","http://mirror1.malwaredomains.com/files/immortal_domains.txt"
dnsbl,Malicious,"Malware Domain List","https://www.malwaredomainlist.com/","MDL","https://www.malwaredomainlist.com/hostslist/hosts.txt"
dnsbl,Malicious,"MVPS Hosts","http://winhelp2002.mvps.org/","MVPS","http://winhelp2002.mvps.org/hosts.txt"‎

I suggest reviewing the main site URL and then decide which feeds are appropriate for your needs.

Hope that helps!

Of those lists, I'm struggling to find information about:
https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
https://malc0de.com/bl/BOOT

http://winhelp2002.mvps.org/hosts.txt seems to be mostly about blocking advertisers, which isn't my goal. I do have local adblockers on our machines, but would like people to have the option to turn it off.

The rest of the list seems fantastic

Thanks for the recommendations

BBcan177

@moscato359:

Of those lists, I'm struggling to find information about:
https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

Check out the following link for BBC:
    http://osint.bambenekconsulting.com/manual/c2-ipmasterlist.txt

Pistolero

Hola BBcan!

Quick q: How can I export all my blacklists (both DNSBL and IP) to CSV and reimport them if I evere have to wipe the config or do it from scratch?

Thanks!

BBcan177

The pkg doesn't have that option. You could create another pfSense Box and use the XMLRPC Sync tab to copy the settings.

The next version of the pkg will have a Feed Management Tab that will have auto-import capabilities…