====== PFSense - pfBlockerNG - Selectively enforcing pfBlockerNG for specific clients or networks ====== **ALERT:** Stopping the services associated with pfblockerNG (pfb_dnsbl & pfb_filter) while Unbound / DNS Resolver is running will cause crazy things to happen, including breaking the DNS Resolver service on your device temporarily. **Don’t do this!** Instead, first remove any custom options you’ve implemented with this guide to do with pfBlockerNG from your **DNS Resolver Custom Options** field. Then in **Firewall -> pfBlockerNG** deselect **Enable pfBlockerNG** from the **General Settings** page and click save. ---- ===== Basic Example ===== Navigate to **Services->DNS Resolver**. Add the following to the **Custom Options**. server: access-control-view: 192.168.10.0/24 bypass access-control-view: 192.168.20.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf ** NOTE:** In this example, we have network 192.168.10.x set to an Unbound view that does **not** include our pfBlockerNG DNSBL configuration. This means all the Unbound commands generated by pfBlockerNG are not referenced when a client in 192.168.10.x queries pfSense, so DNS queries go through unchanged. For the 192.168.20.x network, the entries are included and redirected to the pfBlockerNG sinkhole. It is important to note that you can use these entries in any CIDR notation that fall within your network topology. To filter content for a specific IP, you could specify 192.168.10.5/32 for example. ---- ====== Enforce Google, YouTube, Bing and DuckDuckGo SafeSearch ====== server: access-control-view: 192.168.10.0/24 bypass access-control-view: 192.168.20.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf local-data: "www.google.com 60 IN A 216.239.38.120" local-data: "www.youtube.com 60 IN A 216.239.38.119" local-data: "www.bing.com 60 IN A 204.79.197.220" local-data: "duckduckgo.com 60 IN A 107.20.240.232" **NOTE:** The entries added in the **dnsbl** view force all clients in this group (192.168.20.x) to the SafeSearch address for each of the four services included. We have to add them here as adding them as a **Host Override** on the **DNS Resolver** configuration page would enforce them for all clients. ---- ====== Forward all DNS ====== server: access-control-view: 192.168.10.0/24 bypass access-control-view: 192.168.20.0/24 dnsbl access-control-view: 192.168.30.0/24 forward view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf view: name: "forward" view-first: yes forward-addr: 1.1.1.1 forward-addr: 8.8.8.8 **NOTE:** The **forward** view forwards requests to a couple of DNS servers on the Internet. ---- ====== Forward DNS over TLS ====== server: access-control-view: 192.168.10.0/24 bypass access-control-view: 192.168.20.0/24 dnsbl access-control-view: 192.168.30.0/24 forward access-control-view: 192.168.40.0/24 tls view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf view: name: "forward" view-first: yes forward-addr: 1.1.1.1 forward-addr: 8.8.8.8 view: name: "tls" view-first: yes tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt forward-tls-upstream: yes forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 1.1.1.1 **NOTE:** To use **DNS over TLS**, you will need to specify **tls-cert-bundle** option that points to the local system's root certificate authority bundle, allow unbound to forward TLS requests and also specify any number of servers that allow DNS of TLS. For each server you will need to specify that the connection port using **@**, and you will also need to indicate which is its domain name with **#**. Even though it looks like an comment the hashtag name allows for the TLS authentication name to be set for stub-zones and with unbound-control forward control command. There should not be any spaces between the @ and # markups.