PfBlockerNG v2.0 w/DNSBL
-
when i open, for example yahoo.com, I can see al the boxes where the adds come in just not the contens of them. I'm not sure if on my previous pfsense box the whole ad was being blocked, like my adblocker does.
Yahoo, is doing something dirty with ADs on that page… Its actually an Image… So it can't be blocked by DNSBL since, its not doing a DNS resolution to an AD server... Right-Click on the AD then click "Inspect" ... You will see that its actually an Image.... I haven't seen this elsewhere except for Yahoo...
Some info about Browser Add-ons:
https://twitter.com/x0rz/status/739807696568918016 -
Yahoo, is doing something dirty with ADs on that page… Its actually an Image… So it can't be blocked by DNSBL since, its not doing a DNS resolution to an AD server... Right-Click on the AD then click "Inspect" ... You will see that its actually an Image.... I haven't seen this elsewhere except for Yahoo...
Some info about Browser Add-ons:
https://twitter.com/x0rz/status/739807696568918016allright… I think I see the same thing on aol.com. They just find another way to serve you ads. But with an adblocker on my browser and dnsbl blocking ads on mobile devices, I haven't seen them yet. So thats a good thing! Gonna donate right now. Thanks for making browsing a lot cleaner! ;D
Just one thing I can't get done. Thats blocking those annoying ads on youtube. Is that possible with dnsbl? I use the easylists Cameleon, adaway yoyo and hostfile. I haven't configured ip blocklists yet.
-
Does pfblockerNG2.0.4 need the localhost (127.0.0.1). As in the general setup of pfsense there is the "Disable DNS Forwarder" option! checking it and so disabling it removes 127.0.0.1 from the ISP DNS servers on the WAN in the Status -> Interfaces
(Do not use the DNS Forwarder as a DNS server for the firewall By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.)
-
Does pfblockerNG2.0.4 need the localhost (127.0.0.1). As in the general setup of pfsense there is the "Disable DNS Forwarder" option! checking it and so disabling it removes 127.0.0.1 from the ISP DNS servers on the WAN in the Status -> Interfaces
(Do not use the DNS Forwarder as a DNS server for the firewall By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.)
If you are using the Resolver in "Resolver mode"… then best to leave that option unchecked... This way, all requests goto the localhost for DNS resolution.
-
Yahoo, is doing something dirty with ADs on that page… Its actually an Image… So it can't be blocked by DNSBL since, its not doing a DNS resolution to an AD server... Right-Click on the AD then click "Inspect" ... You will see that its actually an Image.... I haven't seen this elsewhere except for Yahoo...
Some info about Browser Add-ons:
https://twitter.com/x0rz/status/739807696568918016allright… I think I see the same thing on aol.com. They just find another way to serve you ads. But with an adblocker on my browser and dnsbl blocking ads on mobile devices, I haven't seen them yet. So thats a good thing! Gonna donate right now. Thanks for making browsing a lot cleaner! ;D
Just one thing I can't get done. Thats blocking those annoying ads on youtube. Is that possible with dnsbl? I use the easylists Cameleon, adaway yoyo and hostfile. I haven't configured ip blocklists yet.
Yahoo! in another recent Malvertising campaign…
https://blog.malwarebytes.org/cybercrime/exploits/2016/06/neutrino-exploit-kit-fills-in-for-angler-ek-in-recent-malvertising-campaigns/
-
Just one thing I can't get done. Thats blocking those annoying ads on youtube. Is that possible with dnsbl? I use the easylists Cameleon, adaway yoyo and hostfile. I haven't configured ip blocklists yet.
same here. haven't found a way yet.
does somebody tried the blocking lists from example adblock plus addon for firefox/chrome?
would that work? -
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt -
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txtSo DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
-
So DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
-
If users find other feeds, please post back so that others may benefit also.
Just found this fairly new (march 2016) blocklist, looks interesting and can confirm it works with pfBlocker: https://ransomwaretracker.abuse.ch/blocklist/
Can't seem to find a download link. Are they commercial?
Add the following to DNSBL
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txtIn case you don't have this in IPv4 (PRI1)
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txtThank you ;)
-
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
Thank you for the reply and that is great. I just added https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt to my DNSBL.
One other question, I missed the pfBlockerng hangout but I did watch it afterwards. In it, I believe you said that you would post your recommended blocklists. Is there such a CURRENT compilation on the forum? I have been hunting them down for over a month now and cannot seem to find a "one list of lists to rule them all." I am currently using the ones from jflsakfja's posts but those posts are over a year old I think and I never did find his complete list of lists. I think he posted that he was going to include them in his suricata guide - which does not appears as though it will be completed.
-
So DNSBL will accept a list containing a full URL (http://malware.example.com/path/to/badfile.exe) ? I wasn't aware of that and only added the DOMBL.txt as a feed in DNSBL and IPBL.txt(as IPv4 list)
DNSBL will parse each line and extract the Domain…
This is similar to other lists like PhishTank/OpenPhish/Malware Patrol... There can be some FPs with the three that I mentioned here, because of the fact that they post URLs... So Alexa whitelist can be useful for these types of lists... But generally most of those Domains/URLs you'd want to avoid....
The RW URL list shouldn't be whitelisted with Alexa tho...
Thanks for clearing up, I wasn't aware of that either and just skipped the URL blocklists 8)
@khanman, thanks for the hint about pfBlockerNG hangout! Going to watch in a minute!
-
Hi BBcan177, first of all I'm a big fan of you awesome pfsense package, great work! I'm using your plugin for a couple of weeks now but I noticed some strange behaviour with DNSBL. Some fqdn's get blocked sometimes even if they are added to the global whitelist, this is not always the case. The only way to fix this was to completely set the List Action box to disabled to get things working again. After switching it back to unbound it didn't get blocked. In this particulair case it's analytics.twitter.com
The block is added to the alert log, even at this point it says it's already added to the whitelist. Why does it block this fqdn?
-
Is there such a CURRENT compilation on the forum?
This post has instructions on how to get a script that I wrote a year ago…. There are some changes to that list since, but its a start.
https://forum.pfsense.org/index.php?topic=86212.msg549973#msg549973
I will try to make a new script at some point....
-
Did you originally click the "+" suppress icon? or did you manually add the Domain to the DNSBL Whitelist?
When you click the "+" icon, it should remove the domain from the DNSBL database, and add it to the Whitelist to prevent it from getting added at a Cron event… If you manually add a domain to the whitelist, then you need to run a "Force Reload - DNSBL" for it to be removed...
Keep in mind, that your browser/OS might be caching the DNSBL VIP address for that domain. Might have to clear the browser Cache and OS cache...
You can use this link for Chrome:
chrome://net-internals/#dns -
Stupid question… I have pfBlockerNG with dnsbl running and a custom domain suppression/whitelist that was created using the plus signs in the alerts for dnsbl.
Even the fqdn is added to this list and I do a dns resolution, it gets the 10.10.10.1 address and not the proper IP. It's as if dnsbl or pfblocker isn't seeing this whitelist.
Does anybody know how I can resolve this?
Thanks!
-
have you force reloaded on the Update Tab?
-
have you force reloaded on the Update Tab?
I most definitely did. The exclusion list has been sitting in there for months and never worked. I just got motivated to look into why it's not working today.