Peculiar pfblockerng / tld blocklist & whitelist behavior

  • I have been running pfsense for a while and am quite happy with the setup. I am testing TLD blacklist/whitelist and running into a setup issue.

    Summary of post = TLD blacklist: io && TLD whitelist: does not work. WAI?

    pfsense: 2.4.5-RELEASE, pfblockerng: pfBlockerNG-devel 2.2.5_30
    DSNBL: enable
    TLD: enable
    All IP and DSNBL lists disabled
    TLD blacklist: io
    TLD whitelist: tried both and

    Expected result: I thought would work for one of the whitelist combinations. It does not.

    Workaround = If I add to the blocklist with io it works.
    Workaround 2 = I could add pi-hole which supports regex based exclude and include patterns.

    • Question 1 - is this working as intended? Note, and resolve to the same addresses
    • Question 2 - is there a way to block an entire domain while permitting a wildcarded subdomain like * and Is there a different way that doesn't require force reload for every whitelist change.

    Thank you for your help.

  • Another example for the *.io domain. I can't find any combination of rules that enables access to Even with the workaround attempt adding to the blacklist I get a DNSBL_TLD entry in the alerts.

    Does this issue sound familiar to others?

  • In the end I disabled tld blocking since it led to many issues allowing certain sites with their own subdomains. I am maintaining a blocklist of individual sites. This is more effort but more reliable for use.

Log in to reply