PfBlockerNG v2.0 w/DNSBL

BBcan177

Here is a PR to fix the Installation issue being reported…

https://github.com/pfsense/pfsense-packages/pull/1189

Once this is merged, if anyone has similar issues, please report back. Thanks!

fraglord

If you move your configuration from DNS Forwarder to DNS Resolver in order to use pfBlockerNG: For multi-WAN configurations you have to have forwarding mode enabled. See also here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

Hugovsky

Thanks BBcan177, and everyone that made this package possible. Great jpb.

@fraglord:

If you move your configuration from DNS Forwarder to DNS Resolver in order to use pfBlockerNG: For multi-WAN configurations you have to have forwarding mode enabled. See also here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

Can you elaborate? I have multi-wan and forwarding disabled and everything works.

cmb

Latest PR merged.

Dpain

@BBcan177:

There are several other DNSBL Feeds that can be used with pfBNG DNSBL. I will post that at a later date, once users get their basic configurations working. There is also an ADBlock Easylist tab, which is pretty self-explanatory.

Huge thanks BBcan177!!! First off really looking forward to you posting more feeds, more importantly though where can I donate? I'd like to thank you, you have no idea I've been trying to block ads on my wireless devices and had been trying to do this on an Asus RT-68U (AP mode)  with both tomato and merlin and was having issues.  PfBlockerNG 2.0 has solved this issue for me, I no longer have to mess around with the Asus router and don't have to worry bout getting ads on my sons ipad/pc. I added a feed from http://winhelp2002.mvps.org/hosts.htm would this work for host files as well? In the log it does seem to have downloaded the .txt file (see attached screenshot)  Thanks  again  BBcan177 for your work!

BBcan177

Here are more DNSBL Feeds that can be used in pfBlockerNG.
(Copy and paste URLS as plain text)

1. Create a new alias for these.
   These are not necessarily ADvert domains. So I named mine "Malicious"

hpHosts
http://hosts-file.net/download/hosts.zip

SWC
http://someonewhocares.org/hosts/hosts

spam404
https://spam404bl.com/blacklist.txt
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt

malc0de
https://malc0de.com/bl/BOOT

MDS (use 'Flex' state)
https://mirror1.malwaredomains.com/files/justdomains

MVPS
http://winhelp2002.mvps.org/hosts.txt

MDL
http://www.malwaredomainlist.com/hostslist/hosts.txt

Discontinued
GJTech
http://adblock.gjtech.net/?format=unix-hosts

dShield_SD  (They also have a conservative list available)
https://www.dshield.org/feeds/suspiciousdomains_High.txt

Zeus
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

2. These two feeds post full URLs, so there can be some more false positives.
   Create a new Alias, and use Alexa as a recommendation.

PhishTank
https://data.phishtank.com/data/online-valid.csv.bz2

OpenPhish
https://www.openphish.com/feed.txt

MPatrol (You need to register - Free or Paid subscription. Use Danguardian feed)
https://lists.malwarepatrol.net

3. This is a feed that I manage (as time permits)
   MS_2
   https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw

4. Use this in its own Alias:

BBC_DGA  (This is a large feed of DGA for the likes of Cryptolocker et al…)
http://osint.bambenekconsulting.com/feeds/dga-feed.gz

BBC_C2
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt

5. Use this feed in its own alias as it is updated more frequently.
   So you can update it more often than once per day.

hpHosts_partial
http://hosts-file.net/hphosts-partial.asp

If users find other feeds, please post back so that others may benefit also.
Its also important to donate to the feeds provider (IP and/or Domain) as they all need support.

tonymorella

@BBcan177:

Here are some basic instructions to get started with DNSBL.

1. Open the pfBNG "DNSBL" Tab:

(Use the defaults unless you have a need to use otherwise)
Enter the DNSBL VIP as 10.10.10.1
Enter the DNSBL Listening Port as 8081
Enter the DNSBL SSL Listening port as 8443
Select the DNSBL Listening Interface as Lan

For the DNSBL Firewall Rule select all of the LAN subnets that access the DNS Resolver.
Ensure that all Devices that use the DNS Resolver, have the Resolver as its only DNS setting for DNSBL to function properly.

DNSBL IP Firewall Rule Settings:
Select Deny outbound or as per your requirements
select Enable logging

Alexa  (is optional, you can skip this until later if you wish)
Select Top 1K
Select the TLD Inclusions as ca,co,com,io,me,net,org or as required.

In the Custom List you may enter any domain you wish to Whitelist.

Save your settings

2. Open the "DNSBL Feeds" Tab:

Create a new DNSBL Alias

Enter DNS Group Name as ADs
Enter Description as DNSBL ADverts

DNSBL:

Enter the Header/Label and Source URL as follows:
(Use copy/paste as plain text for the URL)

Format Auto and State ON

yoyo
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext

hpHosts_ads
http://hosts-file.net/ad_servers.txt

Adaway
https://adaway.org/hosts.txt

Cameleon
http://sysctl.org/cameleon/hosts

Select List Action as Unbound
Select Update Frequency as Once a day

Alexa:
Do not enable the Alexa Whitelist for this ADverts based alias, as Alexa also posts the top ADvert servers. So using Alexa whitelist, will interfere with ADvert Blocking.

Add any other domains that you wish to block in the Custom List.

Save your settings

3. Open the "DNSBL" Tab:

Click DNSBL Enable checkbox.
Save your settings

4. Open the "Update" Tab:

Select Force Update

You should now see the DNSBL Feeds being downloaded and parsed. Once that is complete, goto the Dashboard, and confirm that the widget is populated correctly.

5. Goto the pfBlockerNG "Alerts" Tab:

Any domain that is blocked will be reported here. For HTTPS alerts, the SRC IP and URL are not captured due to Browser security measures.

As a test, goto www.aol.com  and www.yahoo.com  and see some alerts populate.

There are several other DNSBL Feeds that can be used with pfBNG DNSBL. I will post that at a later date, once users get their basic configurations working. There is also an ADBlock Easylist tab, which is pretty self-explanatory.

Have been using the beta code for some time and noticed a list of domains in the Alexa top 1K that serve up ads, since I don't want this I added the following custom block list to my Ads DNS Group which will remove them from any DNS group that is using the Alexa top 1K filter.

popcash.net
www.popcash.net
outbrain.com
www.outbrain.com
onclickads.net
www.onclickads.net
googleadservices.com
www.googleadservices.com
adcash.com
www.adcash.com
popads.net
www.popads.net

To confirm make sure "Enable Alexa Whitelist" is NOT checked for this DNS group.

BBcan177

@Dpain:

@BBcan177:

There are several other DNSBL Feeds that can be used with pfBNG DNSBL. I will post that at a later date, once users get their basic configurations working. There is also an ADBlock Easylist tab, which is pretty self-explanatory.

Huge thanks BBcan177!!! First off really looking forward to you posting more feeds, more importantly though where can I donate?

Thanks  again  BBcan177 for your work!

I could use a lifetime pfSense Gold subscription… :) But I think all developers should get that as a bonus :)

My email is at the bottom of the pfBNG general tab.

Dpain

@BBcan177:

@Dpain:

@BBcan177:

There are several other DNSBL Feeds that can be used with pfBNG DNSBL. I will post that at a later date, once users get their basic configurations working. There is also an ADBlock Easylist tab, which is pretty self-explanatory.

Huge thanks BBcan177!!! First off really looking forward to you posting more feeds, more importantly though where can I donate?

Thanks  again  BBcan177 for your work!

I could use a lifetime pfSense Gold subscription… :) But I think all developers should get that as a bonus :)

My email is at the bottom of the pfBNG general tab.

:o lifetime ?  That would be $99 x how many ever years you have left  ;D :P  so is the email there attached to a paypal account? Not sure if donation talk is allowed on forum if not, I apologize mods. Also , It does seem to be working for host files from http://winhelp2002.mvps.org/hosts.htm Thanks!

fraglord

Can you elaborate? I have multi-wan and forwarding disabled and everything works.

If you enable forwarding mode then a foward-zone named "." is created as well as some forward-addr entries with the DNS servers you sepcified system->general setup.
Default behavior of unbound is to query the Root servers. But if you have a multi-WAN configuration and need to specifiy a different DNS server for each WAN(gateway) you need forwarding mode to be enabled. So yeah, works without forwarding mode for some multi-WAN configs that are fine with just the Root servers.

vito

BBCan177,
Any problems running your list import script on PFB 2.0?

tonymorella

Few things I found out while beta testing V2

• First rule is take your time and be patient. Adding to may rules at once will casue alot of blocks you may or may not way. Wildcards are not supported, or wanted in most cases. For example adding google.com does not filter all the hosts for the domain, need to add each host that is being blocked to the filter lists
• Make sure to double check ASN's, especially for large companies that have acquired other companies, more than one ASN might exist
  *** Unbound has an issue in my setup using OpenVPN connected to PIA. It does not start correctly when a network issue is sensed,  em1 or openvpn interfaces flap for example. The core problem seems to be how the rc scripts handle unbound reload.  They do a HUP vs reload to get around the cache being lost. Disabling "DHCP Registration" or "Static DHCP" was a workaround that allowed unbound to start correctly.
• Checking "DHCP Registration" or "Static DHCP" causes other issues with unbound, this is a know issue being talked about in the DNS forum.  I added all my hosts host to unbound statically as a work around
• I wanted to have my allow rules > pfb block rules > my block rules > my per interface rules.  Did this by enabling "Floating Rules" and using "pfb_pass/match  | pfsense pass/match |  pfb_block/reject"
• If you have WIFI make sure to enable "DNSBL Firewall Rule" and select both LAN and WIFI or the NAT: Port Forward rule for 10.10.10.1 is not setup correctly.  If you don't change this setting things still work but everything runs slow over wifi.
• Make sure to whitelist all the DNSBL sites FQDN via an allow aliases, some IPv4 block-lists include the IP space the DNSBL are found in
• DBSBL is basicly a man in the middle for DNS so any site that is block but running https will create warrnings. Depending on how the brower is setup it might just ignore or not display the error.  CTRL+SHIFT+I on both Chrome and Firebox will bring up dev panel where you can see which pages are not loading. Chrome will show an error, Firefox will show a red slash throught the lock icon.
• Noticed a list of domains in the Alexa top 1K that serve up ads, since I don't want this I added the following custom block list to my Ads DNS Group which will remove them from any DNS group that is using the Alexa top 1K filter. To confirm make sure "Enable Alexa Whitelist" is NOT checked for this DNS group.

popcash.net
www.popcash.net
cdn.popcash.net
outbrain.com
www.outbrain.com
onclickads.net
www.onclickads.net
googleadservices.com
www.googleadservices.com
adcash.com
www.adcash.com
popads.net
www.popads.net
popmyads.com
www.popmyads.com

• List of domains added to DNSBL Custom Domain Suppression to stop them from being blocked

goo.gl
google.com
www.google.com
mail.google.com
docs.google.com
sites.google.com
fonts.googleapis.com
cache.google.com
clients.google.com
clients0.google.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients5.google.com
clients6.google.com
clients7.google.com
clients8.google.com
clients9.google.com
www.maxmind.com
s3.amazonaws.com
fls-na.amazon.com
login.live.com
redis.io
pgl.yoyo.org
someonewhocares.org
www.thingamajob.com
winhelp2002.mvps.org
hosts-file.net
www.hosts-file.net
adaway.org
sysctl.org
adblock.gjtech.net
www.dshield.org
malwaredomainlist.com
malwaredomains.com
bambenekconsulting.com
malwarepatrol.net
zeustracker.abuse.ch
malc0de.com
curl.haxx.se
dl.dropboxusercontent.com
whois.cymru.com
github.com
collector-cdn.github.com
pivotal.github.com
cloud.github.com
raw.githubusercontent.com
raw.github.com
stopforumspam.com
www.stopforumspam.com
sourceforge.net
www.sourceforge.net
iweb.dl.sourceforge.net
chase.com
www.chase.com
mint.com
www.mint.com
americanexpress.com
www.americanexpress.com
online.americanexpress.com
linuxquestions.org
www.linuxquestions.org
optimizely.com
www.optimizely.com
api.optimizely.com
cdn.optimizely.com
cdn2.optimizely.com
cdn3.optimizely.com
slashdot.org
www.slashdot.org
ebay.com
www.ebay.com
rover.ebay.com
srx.main.ebayrtm.com
openbl.org
www.openbl.org
www.us.openbl.org
delta.com
www.delta.com
aa.com
www.aa.com
cruisesonly.com
www.cruisesonly.com
ripe.net
www.ripe.net
weather.com
www.weather.com
lacnic.net
www.lacnic.net
tvrage.com
services.tvrage.com
www.tvrage.com
publicbt.com
device.maxmind.com
www.boingo.com
xda-developers.com
www.xda-developers.com
forum.xda-developers.com
opengapps.org
download.mono-project.com

• Ads DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: NOT Enabled

• Add Custom Block List noted above

http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintextoup	yoyo
http://hosts-file.net/ad_servers.txt							hphosts_ats
https://adaway.org/hosts.txt								adaway
http://sysctl.org/cameleon/hosts							syctrl
http://adblock.gjtech.net/?format=unix-hosts						gjtech

• Privacy Fraud DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt			disconnect_basic
http://hosts-file.net/fsa.txt								hphost_fsa
http://hosts-file.net/hjk.txt								hphost_hjk
http://hosts-file.net/pha.txt								hphost_psh
https://www.dshield.org/feeds/suspiciousdomains_High.txt				dshield_sdh

• Malware Exploit DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt			disconnect_malvertising
http://www.malwaredomainlist.com/hostslist/hosts.txt					malwaredomainlist
http://mirror1.malwaredomains.com/files/justdomains					malwaredomains			
https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt				disconnect_malware
http://hosts-file.net/emd.txt								hphosts_emd
http://hosts-file.net/exp.txt								hphosts_exp
http://hosts-file.net/mmt.txt								hphosts_mmt
https://lists.malwarepatrol.net/cgi/getfile?receipt=f1442112770&product=8&list=dansguardian malwarepatrol
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist			zeustracker
https://malc0de.com/bl/BOOT								malc0de

• SPAM DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

http://hosts-file.net/grm.txt								hphost_grm
http://hosts-file.net/hfs.txt								hphost_hfs
https://spam404bl.com/blacklist.txt							spam_404

• Malicious DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

http://hosts-file.net/hphosts-partial.txt						hphost_partial
http://winhelp2002.mvps.org/hosts.txt							mvps_hosts
http://someonewhocares.org/hosts/hosts							SomeoneWhoCares
https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw			BBcan177

• BambenekConsulting DNS Group

• Update Frequency: Once a Day

• Enable Alexa Whitelist: Enabled

http://osint.bambenekconsulting.com/feeds/dga-feed.gz					bambenek_dga
http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt				bambenek_c2

Thanks
Tony M.**

tonymorella

@vito:

BBCan177,
Any problems running your list import script on PFB 2.0?

This scripted worked without an issue for me.

ntct

Oops! I found ZeuS Tracker is shut down, I hope it is only temporary.

Hugovsky

@fraglord:

Can you elaborate? I have multi-wan and forwarding disabled and everything works.

If you enable forwarding mode then a foward-zone named "." is created as well as some forward-addr entries with the DNS servers you sepcified system->general setup.
Default behavior of unbound is to query the Root servers. But if you have a multi-WAN configuration and need to specifiy a different DNS server for each WAN(gateway) you need forwarding mode to be enabled. So yeah, works without forwarding mode for some multi-WAN configs that are fine with just the Root servers.

Thank you.

Atlan

I am receiving certificate invalid errors after enabling the DNSBL when navigating certain sites - so far the culprit seems to mainly be googleads.g.doubleclick.net when trying to serve content over an HTTPS enabled website.

The attempt still shows in the Alerts tab of pfBlockerNG, the main site still loads, but it seems to be wanting to use the firewall's self signed certificate as the certificate for the ad server host.

Did I miss a setting somewhere to prevent this from happening?

doktornotor

There's no such setting anywhere and no way to prevent this from happening really, except for whitelisting the domain.

reggie14

@Atlan

To a certain extent, this isn't surprising.  pfBlockerNG essentially has to Man-in-the-Midde HTTPS.  If the ad is being loaded from an HTTPS server (I don't necessarily mean the page you're viewing, rather where the ad itself is coming from), then pfBlockerNG redirects you to its own little webserver running on your pfsense box, and, since is done over HTTPS, that webserver uses a generic, default certificate.  It's a different cert than what is used for the pfsense WebGUI.  For various reasons, pfBlockerNG uses the same certifcate for every blocked HTTPS resource.  This creates a problem because the name in the certificate doesn't match the domain name of the blocked resource, which is why you see certificate warnings.  There's no good way around this, though.  Attempting to dynamically create valid certs off a CA running on the pfsense box would be both complicated and slow.

But, I'm a little surprised you're seeing warnings.  I used to see warnings occasionally, but I haven't for a while.  I thought browsers just started silently dropping HTTPS connections to external resources when there's a bad certificate.

Can you provide additional information to reproduce this?  What browser are you using?  What webpage were you accessing?  If I can see an example, and maybe inspect a packet capture and page source code may be I can see what's going on.

mbarnes

What about setting your virtual address to 0.0.0.0? As that whole /8 is non-routable, you wouldn't get the cert error. It would just silently fail to load ads.

reggie14

@mbarnes:

What about setting your virtual address to 0.0.0.0? As that whole /8 is non-routable, you wouldn't get the cert error. It would just silently fail to load ads.

While that might hide the cert error, there would be downsides.  First, some some pages will hang as they wait for the ad server to respond.  Second, blackholing the traffic completely by setting the VIP to something other than the DNSBL webserver will disable alerts.  That would create problems, because the regular ad-blocking lists WILL break some sites and mobile apps.  The alerts are, by far, the easiest way to track down problems.

There are better plausible workarounds, but we need to see some examples to understand under what circumstances people run into cert errors.