Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG - query on application of DNSBL - subdomain vs domain blocking

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andrew453
      last edited by

      Hi

      I've read through the posts on the DNSBL (domain level) blocking offered by pfBlockerNG and the various easy lists that can be used.

      I can see that it seems to be deliberate that pfBlockerNG will only explicitly block the specific domains that are listed.

      So, for example, an entry for abcdef.com, won't block ads.abcdef.com, seemingly deliberately.

      Is that indeed the intended behaviour and if so, is it consistent with what's intended by the authors of the block lists?  Most of the block lists only include entries like abcdef.com … leaving ads.abcdef.com or similar to go straight through the filter (meaning it doesn't block ads in most cases!).

      Is there any way to make it also block subdomains please?  It's possible in the dns resolver (you use local-zone in addition to local-data), but pfBlockerNG doesn't seem to be set up that way.

      Thanks

      Andrew

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        See the following:
        https://forum.pfsense.org/index.php?topic=102470.msg593514#msg593514

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • A
          Andrew453
          last edited by

          Thanks, yes, I'd read that.

          It's perfectly right that if a DNSBL includes ads.yahoo.com, you wouldn't want to block *.yahoo.com

          My point is many of the DNSBLs appear to assume that if it had yahoo.com listed, that the filter would automatically block ads.yahoo.com (i.e. the other way around).  That's not happening in pfBlockerNG.

          (Yahoo's a bad example, as it clearly has legit domains.  cf something like xxxads.com vs ads.xxxads.com.  At the moment, many clearly dodgy domains get straight through)

          So the point is that there appears to be a mismatch of conventions between what the authors of the DNSBLs assume will be blocked, vs what pfBlockerNG is actually blocking, with the result that many DNSBLs are actually ineffective when applied through pfBlockerNG.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            I have to think about how I would do that in the package :) Not just so straight forward…

            It will wreak havoc with de-duplication trying to add the redirect lines to single domains, and filtering out duplicate domains that are in other feeds which are listing a sub-domain for a previously added domain with a redirect....  Unbound will crash if there are two lines with the same domain when using a "redirect" rule...

            I will work away at it and see what I can come up with...

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • A
              Andrew453
              last edited by

              Thank you.  My suggestion would be:

              1)  add a global option in pfBlockerNG for blocking entire domains where a DNSBL includes say abcdef.com (I think it has to be global option rather than per list, otherwise you run into trouble on de-duping as you say)
              2)  do the combination/de-duping/suppression etc as per normal (so people can override the global behaviour on a per domain basis by suppressing e.g. abcdef.com, but adding ads.abcdef.com)
              3)  at the point where pfBlockerNG translates the de-duped list into a conf file to pass to Unbound, check each domain being added:
                - if it is a domain: then add it into the conf file with a local zone too - i.e. block the lot
                - if it is a subdomain: then add it into the conf file with just a local data entry - i.e. just block the particular subdomain mentioned

              I suspect you may need to build a list of top level domains into pfBlockerNG to do the last part.  You can't just count dots unfortunately, as abc.co.uk has two (but is still a domain), whereas abc.com only has one.

              On the crashing point, one way to deal with that is to sort the de-duped list by domain (e.g. invert the character order of each domain string, then sort, then invert back).  Then when you apply the logic in (3), what you'll get is one zone redirect per domain, followed by all the data entries pertaining to that domain - hence no crash.

              Just a thought as to how you might do it - I suspect it might be a bit more complicated!

              Good luck, and thank you!

              Andrew

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.