Blacklisting ALL domains and whitelist a selected few domains with pfBlockerNG



  • Hi everybody!

    I have some basic questions about pfBlockerNG. Somehow I could not find any information regarding my questions. Let me describe first my problem and what I would like to achieve:

    I have pfSense firewall and a separate network segment (IP range and VLAN) dedicated to my multimedia devices only - TV sets, Blu-Ray players, NAS with content, etc. Until now there was no internet access necessary for those devices. All access the the internet was blocked by my pfSense firewall (pfSense 2.4.3). I used the devices primarily for local video streaming within my network (DLNA) and watching DVDs and Blu-Rays. Now I want to use Netflix (and maybe other TV streaming services later), so I have to grant some of the devices access to the internet. Selective access per device is not a problem, every device has a static DHCP lease. HOWEVER, it appears that some devices (a Samsung TV and a Samsung Blu-Ray player) really like to phone home. I sniffed the network traffic and there already is a flurry of DNS request for dozens of domains just when turning on the device(s). Most domains appear are Samsung-owned, but "old friends" like doubleclick were also present. I would my devices rather not talk behind my back to anybody. Not after all those reports about "smart" devices transmitting spoken words and camera feeds back to the respective makers. Call me old-fashioned or paranoid, but that's me.  ;D

    My fist attempt was to only allow (whitelist) outgoing IP-Traffic to the IP addresses belonging to the AS numbers of Netflix and block everything else. However, this didn't work. My ISP obviously has one of those Netflix caching boxes installed in his data center (which is nice). This box has an IP address in my provider's netblock but a Netflix DNS name. Of course, I could hand-pick all necessary IP addresses. But then I would have to debug and manually change firewall rules constantly, whenever Netflix or my ISP change something. Moreover, some time ago Netflix started using Amazon AWS. Netflix IPs can be anywhere in Amazon's huge IP range today and are (as far as I understand it) quite dynamic (i.e. change on short notice). I don't want to whitelist all of AWS - ad companies and trackers also use those. I realized that controlling access to Netflix at the IP layer alone will not work. On to domain name filtering…

    Next I stumbled upon pfBlockerNG. From the description I read it is possible to blacklist selected domains. Should is it also be possible to blacklist all domains and whitelist only a handful of needed domains? All tutorials and descriptions I found only use the blacklist approach (allow everything, block the bad guys). I want to do the opposite (block everything, allow only the good guys). Unfortunately I have no idea how to go about it.  :( The TLD feature looks promising, but I do not quite understand that. An extra level com complexity comes from the fact that I want the domain filtering for my multimedia VLAN only - not for any other network.

    On one hand I would appreciate if somebody could point me to a ready-made solution for my problem ("Check this box, then this, enter your whitelist domains there, click save, done"). On the other hand I really like to understand the stuff I do. There are a number of general thing I do not yet understand about pfBlockerNG:

    Is pfBlockerNG really the right tool to achieve what I want (blacklist all domains, whitelist selectively)? Or should I go look at ssome other solution? Maybe Squid? Maybe a more lightweight approach using some type of aliases?

    How does pfBlockerNG integrate with other components of pfSense? In understand that using DNSBL causes the unbound DNS resolver (which I already have in use) somehow to lie about DNS results. Some configuration cause the automatic creation of firewall rules. As of now I have no idea how those things work together to achieve a certain goal.

    What is the relationship between "normal" aliases for the firewall (described here: https://doc.pfsense.org/index.php/Aliases)) and aliases in the context of pfBlockerNG? Are they the same or a different kind of beast?

    I would appreciate any kind of input: About pfBlockerNG being the right tool (or not), about solving my specific problem at hand (whitelisting Netflix domains using pfBlockerNG or some other functionality of pfSense) and about the functionality and integration of pfBlockerNG in general (I am always eager to learn).

    Thanks in advance
    Andy

    PS: I am comfortable SSHing into my firewall and add/change files, if this is necessary.

    EDIT 1: To clarify… I would like to whitelist 2nd level domains. Like *.example.com. Not complete FQDNs like some.example.com. There are a LOT different domain names involved when watching Netflix - but only a handful of 2nd level domains.



  • Another solution might be to use Snort's AppID feature.  I had it turned on for a while but they had predefined rules for Netflix traffic.



  • Have you accomplished what you were looking for ?
    I am kinda in the same boat as you



  • We used to have a working implementation like this using Squid. The only trick was to put a period in the blacklist box - this apparently is the wildcard for squid to block all. In the white list box we listed out all the allowed domains. Worked like a charm, however this was before HTTPS became so prevalent. We were not doing HTTPS inspection at the time, so all HTTPS traffic was unfiltered and ultimately led us to do category blocking using Umbrella (OpenDNS) instead.



  • Hi everybody,

    I found indeed a solution to my problem and would like to share it here. It is not perfect, but what in this word is? ☺

    My solution does not directly use pfSense. pfSense is only used to ...
    a) configure a special DNS server address for selected DHCP clients (smart TVs and the like)
    b) block access to the (uncensored) DNS resolver running on pfSense form said clients using the firewall

    The special standalone DNS server (a Raspberry Pi in my case) runs the dnsmasq service. dnsmasq has two very handy configuration options. The magic incantations are the "server" directive and the "address" directive. (Note: One could also run dnsmasq on pfSense - but in my setup I already use unbound on pfSense and didn't want to risk messing with everybody elses DNS resolution just for this.)

    With the server directive one can specify an address which we want to be resolved by a certain DNS server. The trick here: '#' as the target resolver means "use your configured standard server to forward the request to". Meaning: resolve normally. Im my case for Netflix I have:

    server=/netflix.com/#
    server=/netflix.ch/#
    server=/nflxext.com/#
    server=/nflximg.com/#
    server=/nflximg.net/#
    server=/nflxvideo.net/#
    server=/nflxso.net/#
    server=/netflix/#
    server=/cloudfront.net/#
    server=/d179kwmlpc4o47.cloudfront.net/#
    server=/d2s336w63pl2vv.cloudfront.net/#

    (the details seem to depend on geographic location - note I have a blanket "allow" for all of cloudfront.net here - the cloudfront host names are not necessarily stable)

    The "address" option can then be used to implement the "DNS black hole" functionality:

    address=/#/192.168.x.y

    • OR -
      address=/#/

    The first version makes dnsmasq return a fixed (fake) IP address for any DNS request not whitelisted using a server directive. The second returns NXDOMAIN instead of a wrong IP. I use the first. Look at the manpages of dnsmasq and dnsmasq.conf for details!

    For some of my "smart" devices to function, I need to allow additional domains. One Samsung TV for example needs access to the domain time.samsungcloudsolution.com (among others). Otherwise it will not believe that it has internet access and will simply refuse to start the Netflix app - stupid "smart" thing!!

    My solution kind of works, but adding a new "smart" device is always a hassle. And if you want to use another video streaming service, you have to find out the necessary domains to whitelist first.

    This is the solution I am using. I hope this will help someone.
    Andy