Can I block IPs of my DNS-based lists?



  • New to DNSBL/pfBlocker. I'm wondering if there's a reality I have to live with regarding limitations of pfBlocker or if I'm missing a piece here that can help.

    Kind of going off of https://forum.netgate.com/topic/105728/content-filtering-https-without-a-proxy/13 a little bit, but I have DNS blacklists in and some IP blacklists set up. In my testing, I've blocked a site using DNS, it gets blocked, but I put the IP it would normally resolve to into my HOSTS file, and boom, I'm there like it's not on my blacklist.

    So I understand that I just said I'm blocking by DNS and HOSTS gets around needing to resolve addresses. Is the answer just as simple as me needing to add IPs to a blacklist of sites I really really want blocked or is there some solution that will allow whatever IPs that the websites in my DNSBL lists resolve to to also be blocked?

    I also run other enterprise firewalls, like the person in that other post, and I'm not blocking things there specifically by DNS, though I add domain names to a block list, but the systems block me even though all my clients resolve the normal public IPs of the sites I'm blocking.

    Would I need to script something to create an IP block list containing the IPs of the websites listed in my DNS blacklists, for the ones that get missed in my IP lists? Would that be my only option besides going manual with it for specific sites? Or maybe there's a nifty checkbox in pfBlocker that I'm missing!!!



  • There have been a few newbies wanting such feature without making any contributions to pfBlockerNG's development. What I don't understand is, if one already block domains by DNSBL blocklist that should be good enough. I personally have never checked an IP address of any domains I blocked because I have no such blocklist. All the DNSBL feeds I have are predetermined, and I have no desire to visit or check any IP associated or domain in those feeds.

    You can create a firewall alias of all the domains IP you blocked and add to floating block rule with direction out.



  • Automatically?



  • @mh13 said in Can I block IPs of my DNS-based lists?:

    Automatically?

    That's the feature we're waiting on you to develop.


Log in to reply