Wednesday, December 23, 2020

How To Use Pfblocker-NG locked un-want domains on Pfsense.



For more information pfBlockerN: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html

  • Pfsense version: 2.4.5-RELEASE-p1
  • pfBlockerNG version: 2.1.4_22

1. Requirement note:

We use DNSBL in Pfblocker-NG to filtering content with DNS, so pfSense (LAN address) should be the default DNS server which pointed into your client. If you dont want use pfsense as default dns server of client, you should config forwarder directly to Pfsense on your DNS server. In my case, i will use pfsense as DNS server for my client :) .

I assume everything is work normal, you can read in my previous post to do that.

2. Config Pfblocker-NG on Pfsense:

Step 1: Install pfBlockerNG

Go To System > Packet Manager > Available Packages > search pfBlockerNG > Click Install

Step2: Config DNS Resolver: 

Go to Services > Select DNS Resolver ( default DNS Resolver has enable after installed Pfsense )

I keep everything is default & for simple, i just add Host Overrides & Domain Overrides to tell pfsense lookup our local DNS
Don't forget allow your LAN network in Access List tab of DNS Resolver

Step3: Config pfBlockerNG:

Go to menu Firewall > Select pfBlockerNG

I wanna config DNSBL Feeds first so then we navigate to DNSBL > DNSBL Feeds

At DNSBL Feeds windows we click ADD button to define DNS GROUP that we wanna block




Next we need to config and enable DNSBL:









Go back to General Tab to enable pfBlockerNG:
















  • MaxMind License Key : you can register to get license MaxMind at here: https://www.maxmind.com/en/geoip2-services-and-databases 
  • I often use Geoip in case: we have some public servers under pfsense but we want to reject access  to there servers from some location around in the world 













Next, we need to force update & reload DNSBL DB: Goto Update tab then update & reload.














Final, we should restart both services dnsbl & unbound (DNS Resolver) before we go to testing on our client.











3. Testing on client:

At client side make sure DNS server on client pointed to Pfsense (Lan Address)













Do NSLOOKUP on some domains:














Test on Internet browser:

Can't not access to drive.google.com, docs.google.com & 010sec.com but cnet.com is worked.
















Done - goodluck everyone :) - Thanks you.

No comments:

Post a Comment

Windows Server 2019 - LAB08 Implementing storage solutions (Part3) Implement Storage Spaces Direct

Part 3:  Implement Storage Spaces Direct What is Storage Spaces Direct? Storage Spaces Direct is the evolution of Storage Spaces . It lever...