DNSBL category not working
-
Hi guys,
I’m returning on pfsense before 10 years and I fionde it revolutioned.
I’m trying to use DSNBL Category, I’ve selected Social Networking to Lock Facebook but not work…
Anyone can explain to me how I can do that?
There Is any tutorial?
Thank you in advance to anyone can try to help me -
@loop4633 said in DNSBL category not working:
There Is any tutorial?
Nothing changed
A bit old but it still handles all the basics : pfBlockerNG on pfSense (officail Netgate Voieo channel).
Blocking all Facebook IPs : Throw this into your favorite search engine (not Bing probably) : "how to block facebook with the ASN ?". This will work pretty well, "all Facebook" won't work anymore (which will include Whatsapp etc)
@loop4633 said in DNSBL category not working:
I’m returning on pfsense before 10 years and I fionde it revolutioned.
Like Windows I guess (Windows 7 back then ?)
I guess we all changed some how. -
@Gertjan Thank you for your answer,
but if you suggested to me to block all ip of facebook I do understand that DNSBL Category not work? Right? -
Never tried to block something massive as Facebook myself.
Massive means : thousand of - not IP - but entire networks.
Even more host names. Crack open your phone, get the "Whatsapp binary", decode it (as it is encrypted to 'protect' curious people) and you'll find the huge list with host names whatsapp uses to "call home". And things get even : better : this list can be updated dynamically.
So even if you think you have the entire host names list, you don't ^^Sure enough, could could wild card blacklist the host name "facebook.com" with ... mixed (?!) results.
Remember : you can try to block "facebook". They, facebook, hired the very best - and many of the best, with the opposite goal in mind, as do Google, Apple, Microsoft and all the other bog players.
There is also some really good news for you : the very same question as been asked many times already, and you can find them here on this forum, with the detailed suggestions.
Read them all, and you'll understand why I talked about ASN.
-
@Gertjan Wow, understand... I'll try to block anyone else to facebook... at this moment I'm studing pfsense, I have tryed to block social media by DNSBL category... I will test with another category to understand if it work.
Thank you for you help -
@loop4633 enable the TLD Wildcard option so that it blocks the domain and subdomains
-
@BBcan177 Thank you for Your replay,
Have already activated -
@loop4633 if you enabled that after, you will need to run a Force Reload DNSBL for it to take effect
-
@BBcan177 said in DNSBL category not working:
@loop4633 if you enabled that after, you will need to run a Force Reload DNSBL for it to take effect
I've anyone that not work... I've tryed to block porn content but anything have changed...
I can't force reload, I only select reload all without effect
-
pfBlockerNG has an update... now it seems to download list of porn... hope before it works...
Will be update you -
@loop4633 said in DNSBL category not working:
now it seems to download list of porn... hope before it works...
You mean this one :
You saw the word [ Large ] ?
This list is known to 'break' systems. Because it's huge. Only activate this list if :
You have time to check the auto reloads a couple of times.
You raised the internal PHP work memory to the max possible :
I typically use this list to put a system (the PHP subsystem, its limited RAM buffer) to the max for a while.
Btw : Porn visitors with more then one neuron, for 'reasons', always use a VPN -
@Gertjan said in DNSBL category not working:
@loop4633 said in DNSBL category not working:
now it seems to download list of porn... hope before it works...
You mean this one :
You saw the word [ Large ] ?
This list is known to 'break' systems. Because it's huge. Only activate this list if :
You have time to check the auto reloads a couple of times.
You raised the internal PHP work memory to the max possible :I typically use this list to put a system (the PHP subsystem, its limited RAM buffer) to the max for a while.
Btw : Porn visitors with more then one neuron, for 'reasons', always use a VPNThank you for your advice but is too late... pfsense ko... there is anyway to restore? or I must reinstall?
-
Console (or SSH ?) access still works ?
Console : This is normally a serial connection, and can also be a HDMI+keyboard interface.Btw : Re installing is a sure value.
pfSense was build with one goal in mind : with one click you can export a small (a couple of mBytes max) config file and with this file you can re create the same system (on same hardware) in a matter of minutes : make the GUI work, which needs minimal steps, and then click : upload the config file back in, reboot and done. -
@Gertjan said in DNSBL category not working:
Console (or SSH ?) access still works ?
Console : This is normally a serial connection, and can also be a HDMI+keyboard interface.Btw : Re installing is a sure value.
pfSense was build with one goal in mind : with one click you can export a small (a couple of mBytes max) config file and with this file you can re create the same system (on same hardware) in a matter of minutes : make the GUI work, which needs minimal steps, and then click : upload the config file back in, reboot and done.I've shutdown by button and start before 5 minutes, I've deactivate porn category and now updating it... hope to resolve...
-
Do you suggest any light category to select to test if dnsbl category work in my pfsense?
Thank you -
I'm realizing that category not work properly... have tryed lingerie category but few site is really lock many other no... the block consist in corrupted loading of web page...
I try also to reject with TLD, really block site that have selected but not return my the pfsense error page but only "ERR_CONNECTION_REFUSED" why?
Thank you guys -
@loop4633 said in DNSBL category not working:
really block site that have selected but not return my the pfsense error page but only "ERR_CONNECTION_REFUSED" why?
Because of the listed DNS host names.
Ultra quick example :
My DNSBL page :
I'll take "ADs_Basic" as an example, let's open it up :
Now I have a file name : https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Have a look at that file : https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Take a line from the start :
0.0.0.0 ck.getcookiestxt.comCopy "ck.getcookiestxt.com".
Paste it here :
C:\Users\Gauche>nslookup ck.getcookiestxt.com Serveur : pfSense.bhf.net Address: 2a01:cb19:beef:dead:92ec:77ff:fe29:392c Réponse ne faisant pas autorité : Nom : ck.getcookiestxt.com Addresses: :: 0.0.0.0The answer was ... 0.0.0.0
Your browser would do the same thing : It will first do an identical DNS request for "ck.getcookiestxt.com" and receive 0.0.0.0 as an answer. It won't even try to connect to 0.0.0.0, and just show the situation :
so all is fine.
edit : I use the "Null block (logging)" method. The "Null block" comes from ..... 0.0.0.0.
Don't use the "DNSBL Webserver/VIP" as that method was usefulle when all web sites were doing http.
AS you might have noticed, "http" sites don't exist anymore. They all became https, and https (TLS) sites can not be redirected to 'another' server like the pfBlockerng web server (to show a nice error message).Ultra mega short "what is https" explanation :
The browser gets the IP of the host name first, as above.
When you use "DNSBL Webserver/VIP" method, it is not 0.0.0.0 (the Null answer) that gets returned, but :
as 10.10.10.1 it will be.
Good news ! This one answers the request !! It's the "DNSBL Webserver/VIP" after all.
As the browser is using https it will receive a certificate from this web server.
This certificate says it is :
The browser goes full
mode as it wants the certificate that says "I am ck.getcookiestxt.com", not "I am pfSense-pfBNG-DNSBL-68dcca20bc53e". You'll see another browser fail message.And no, you can't make your own "ck.getcookiestxt.com" certificate on the fly, as for that to happen you need to proof that you own the domain name "ck.getcookiestxt.com".
Try for yourself : get a valid, CA signed for a domain like "microsoft.com". If you manage to pull this one off, you :
Will be, for a short moment, the richest man in the world.
The most famous man in the world.
You also just broke world's economy in a way that couldn't be done better by people like Putin, Trump, Xi-ping and Macron combined.
Shortly after, water stops flowing from the tap, the power goes down. Your hear gun shots all over the place and the stage is set for an massive extinction event. -
@Gertjan Very thank's,
I'll try to do somethings like that...
