Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I block IPs of my DNS-based lists?

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 2 Posters 541 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mh13
      last edited by

      New to DNSBL/pfBlocker. I'm wondering if there's a reality I have to live with regarding limitations of pfBlocker or if I'm missing a piece here that can help.

      Kind of going off of https://forum.netgate.com/topic/105728/content-filtering-https-without-a-proxy/13 a little bit, but I have DNS blacklists in and some IP blacklists set up. In my testing, I've blocked a site using DNS, it gets blocked, but I put the IP it would normally resolve to into my HOSTS file, and boom, I'm there like it's not on my blacklist.

      So I understand that I just said I'm blocking by DNS and HOSTS gets around needing to resolve addresses. Is the answer just as simple as me needing to add IPs to a blacklist of sites I really really want blocked or is there some solution that will allow whatever IPs that the websites in my DNSBL lists resolve to to also be blocked?

      I also run other enterprise firewalls, like the person in that other post, and I'm not blocking things there specifically by DNS, though I add domain names to a block list, but the systems block me even though all my clients resolve the normal public IPs of the sites I'm blocking.

      Would I need to script something to create an IP block list containing the IPs of the websites listed in my DNS blacklists, for the ones that get missed in my IP lists? Would that be my only option besides going manual with it for specific sites? Or maybe there's a nifty checkbox in pfBlocker that I'm missing!!!

      1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense
        last edited by

        There have been a few newbies wanting such feature without making any contributions to pfBlockerNG's development. What I don't understand is, if one already block domains by DNSBL blocklist that should be good enough. I personally have never checked an IP address of any domains I blocked because I have no such blocklist. All the DNSBL feeds I have are predetermined, and I have no desire to visit or check any IP associated or domain in those feeds.

        You can create a firewall alias of all the domains IP you blocked and add to floating block rule with direction out.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • M
          mh13
          last edited by

          Automatically?

          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @mh13
            last edited by

            @mh13 said in Can I block IPs of my DNS-based lists?:

            Automatically?

            That's the feature we're waiting on you to develop.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.