Custom DNSBL block list for specific hosts

tinfoilmatt · Dec 2, 2023, 12:48 AM

@Zhigre forgive me in advance for only brainstorming with you here—but i think i literally just now might have thought of a way for you to accomplish this (albeit slightly unintuitively):

Firewall / Aliases / IP
Create a "Network" type alias (not a "Host" type) and specify any/all IP addresses of your son's devices one-by-one in CIDR notation. i.e., [IPv4 address]/32 and [IPv6 address]/128. Do not use "pfB_" in the alias name.

Firewall / pfBlockerNG / IP (not DNSBL)
1.) create two separate IP feed groups, one for IPv4 and one for IPv6—the rest of this list applies the same for both.

2.) Action set to "Deny Outbound"

3.) Update Frequency set to "Every Hour"

4.) under Advanced Outbound Firewall Rule Settings section, tick the Custom Source "Enable" checkbox, and type the name of the Network-type alias you created into the Custom Source box. (you'll know if it was created properly if auto-complete appears.) Custom Protocol must be set to TCP/UDP.

5.) enter your list of domains into the respective IPv4 Custom_List and IPv6 Custom_List boxes. check the "Enable Domain/AS" checkbox.

6.) Force Update | Reload

this will basically use pfB to resolve your list of domains to IPs, and then make use of the Firewall 'Auto' Rule function to create a floating firewall rule blocking any traffic sourced from your son's devices destined to said resolved IPs. (make sure to review Firewall / pfBlockerNG / IP / "IP Interface/Rules Configuration" section to confirm it's configured as-desired.) check your ruleset following the Reload to confirm.

update with any snags you hit, and/or screencaps of the custom IP Feed Groups and floating firewall rule if everything takes but doesn't seem to be working as intended.

SteveITS · Dec 2, 2023, 1:38 AM

@Zhigre some brainstorming:

Use parental controls; MS and Apple are pretty good at that (Windows needs an MS account and Edge).

PfB has a poorly named “group policy” box:
“This is a preliminary DNSBL Group Policy configuration that will bypass DNSBL for the defined LAN IPs. (No Subnets allowed)”
So, block all and bypass for not-your-son.

IPv6 uses temp addresses making it difficult to identify one device.

IT savvy kids can set a static/different IP.

PfBlocker can create aliases by ASN to contain all IPs for a company.

tinfoilmatt · Dec 2, 2023, 1:52 AM

@SteveITS said in Custom DNSBL block list for specific hosts:

IT savvy kids can set a static/different IP.

good point.

@SteveITS said in Custom DNSBL block list for specific hosts:

PfBlocker can create aliases by ASN to contain all IPs for a company.

it can also resolve domains to IPs using the same function.

SteveITS · Dec 2, 2023, 2:08 AM

@cyberconsultants said in Custom DNSBL block list for specific hosts:

it can also resolve domains to IPs using the same function.

pfSense can do that too without pfB but overall it depends upon the IP not frequently changing. In any case it’s not necessarily a straightforward problem/solution.

I believe Unbound also has “views” if OP can figure it out.

I was not excited about using MS/Edge but one can block other programs/browsers and lock Edge down pretty well.

tinfoilmatt · Dec 2, 2023, 2:19 AM

@SteveITS said in Custom DNSBL block list for specific hosts:

pfSense can do that too without pfB

ah, true. so you really could do this entirely without pfB.

but overall it depends upon the IP not frequently changing.

the interval for alias FQDN re-resolution is not specified ("FQDN hostnames are periodically re-resolved and updated.") would have to go digging for that specific answer.

but if it's greater than an hour, i guess maybe therein lies one advantage of using pfB over aliases + manual firewall rule: pfB can be set to update every hour (with it then automatically creating the rule/s being another).

Zhigre · Dec 2, 2023, 2:21 AM

@SteveITS said in Custom DNSBL block list for specific hosts:

IT savvy kids can set a static/different IP.

Thankfully he's one of the least IT savvy kids around so that would be very unlikely at this stage.

Zhigre · Dec 2, 2023, 2:24 AM

This post is deleted!

Zhigre · Dec 2, 2023, 2:27 AM

@SteveITS

Can I block all and bypass for devices that aren't his but still be blocking the other content in the firebog lists on all devices?

Also, I've set static IPv4 addresses for all devices in the home.

tinfoilmatt · Dec 2, 2023, 2:33 AM

@Zhigre the solution i've proposed would have no effect whatsoever on any other pfB configuration you already have in place. (it's actually preferable to what i originally mentioned with the Python Group Policy function, where any excepted devices would be completely excepted from all DNSBL.)

all devices on the network would continue to be 'protected' the way you have pfB configured now—and then only your son's devices would additionally be blocked from passing traffic to any IPs resolved from your custom domain list.

Zhigre · Dec 2, 2023, 5:55 AM

@cyberconsultants

Thanks heaps for the assistance, I'll try to implement that soon and let you know how it went :)