Peculiar pfblockerng / tld blocklist & whitelist behavior



  • I have been running pfsense for a while and am quite happy with the setup. I am testing TLD blacklist/whitelist and running into a setup issue.

    Summary of post = TLD blacklist: io && TLD whitelist: mkdocs.github.io does not work. WAI?

    pfsense: 2.4.5-RELEASE, pfblockerng: pfBlockerNG-devel 2.2.5_30
    DSNBL: enable
    TLD: enable
    All IP and DSNBL lists disabled
    TLD blacklist: io
    TLD whitelist: tried both github.io and mkdocs.github.io

    Expected result: I thought mkdocs.github.io/mkdocs/ would work for one of the whitelist combinations. It does not.

    Workaround = If I add github.io to the blocklist with io it works.
    Workaround 2 = I could add pi-hole which supports regex based exclude and include patterns.

    • Question 1 - is this working as intended? Note, github.io and mkdocs.github.io resolve to the same addresses
    • Question 2 - is there a way to block an entire domain while permitting a wildcarded subdomain like *.github.io and ..github.io. Is there a different way that doesn't require force reload for every whitelist change.

    Thank you for your help.



  • Another example for the *.io domain. I can't find any combination of rules that enables access to ix.cnn.io. Even with the workaround attempt adding cnn.io to the blacklist I get a DNSBL_TLD entry in the alerts.

    Does this issue sound familiar to others?



  • In the end I disabled tld blocking since it led to many issues allowing certain sites with their own subdomains. I am maintaining a blocklist of individual sites. This is more effort but more reliable for use.


Log in to reply