Table of Contents
PFSense - pfBlockerNG - Install pfBlockerNG - Setup DNSBL Blocking
Enable DNSBL
Navigate to Firewall → pfBlockerNG → DNSBL.
In DNSBL:
- Enable DNSBL: Checked.
- Wildcard Blocking (TLD): Checked.
WARNING: Wildcard Blocking (TLD) uses a lot of RAM.
Do not enable this on systems with less than 8GB RAM!
This setting enables additional processing to block ALL sub-domains for advanced blocking.
For example, a list with sharewiz.net would also result in blog.sharewiz.net also being blocked if TLD is enabled.
In DNSBL Webserver Configuration:
- Virtual IP Address: 10.10.10.1. This is the default IP address and should be fine. Only change if needed. Enter an IP address that is not in your internal networks, something like 10.10.10.10.
- VIP Address Type: IP Alias. The default. Only change if needed.
- Port: 8081. The default. Only change if needed.
- SSL Port: 8443. The default. Only change if needed.
- Webserver Interface: LAN. The default. Only change if needed. Select LAN or another internal interface to listen on.
In DNSBL Configuration:
- Permit Firewall Rules: Checked.
NOTE:
- If you ONLY have one LAN interface, leave this setting unchecked.
- If you have multiple LAN interfaces, check this setting and select each interface to protect.
- Scroll to the bottom of the page and click the Save button.
In DNSBL Whitelist:
- See DNSBL Whitelist.
- Enter the following white-list domains and modify as you like:
.play.google.com .drive.google.com .accounts.google.com .www.google.com .github.com .outlook.live.com .edge-live.outlook.office.com # CNAME for (outlook.live.com) .outlook.ha-live.office365.com # CNAME for (outlook.live.com) .outlook.ha.office365.com # CNAME for (outlook.live.com) .outlook.ms-acdc.office.com # CNAME for (outlook.live.com) .amazonaws.com .login.live.com .login.msa.akadns6.net # CNAME for (login.live.com) .ipv4.login.msa.akadns6.net # CNAME for (login.live.com) .mail.google.com .googlemail.l.google.com # CNAME for (mail.google.com) .pbs.twimg.com .wildcard.twimg.com # CNAME for (pbs.twimg.com) .sites.google.com .www3.l.google.com # CNAME for (sites.google.com) .docs.google.com .mobile.free.fr .plus.google.com .samsungcloudsolution.net .samsungelectronics.com .icloud.com .microsoft.com .windows.com .skype.com .googleusercontent.com
In DNSBL IPs:
- List Action: Deny Both.
- Enable Logging: Enable.
Scroll to the bottom of the page and click the Save button.
Setup DNSBL EasyLists
Navigate to Firewall → pfBlockerNG → Feeds.
Scroll down to the DNSBL Category section.
Select the Easylist by clicking on the + key towards the left side.
NOTE: See: Add DNSBL Feeds.
Set EasyList Feeds to:
- State: ON
- Action: Unbound
- Update Frequency: Once per day
Scroll to the bottom of the page and click the Save button.
Setup Custom DNSBL Lists
Navigate to Firewall → pfBlockerNG → DNSBL → DNSBL Groups.
Click the Add button.
Give it a Name and Description.
Add in as many DNSBL Source Definitions as needed.
Set:
- State: ON
- Action: Unbound
- Update Frequency: Once per day
For Example:
Return to Install pfBlockerNG or continue to Update Blocking Lists.