How to block ads on pfsense with pfBlockerNG and Dnsbl?

In order to block ads in your network, you need to Install Pfsense as a firewall in your network. The Pfsense uses a special package called pfBlockerNG, this package can also be chosen to block malware, adult content, and many more. This package has two parts DNSBL (DNS blocking) and GeoIP blocking but to block ads, we only need to configure the dnsbl portion.

DNSBL Configuration Summary

In order to block the ads on pfsense, we need to configure the dnsbl portion, and here is the configuration list.

• Create a floating firewall rule. This rule will make all local networks such as LAN and VLANs use pfsense as the only DNS server, and also blocks access to the external DNS servers.
• Install and configure the devel version of pfblockerng.
• Configure the DNSBL Portion for pfBlockerNG. In this step, we will configure DNS feeds for dnsbl, the DNS feeds are the list containing data regarding the restricted site names.
• lastly, we will take a look at the reports section and then we will test our configuration.

Floating Rule To Block External DNS Servers

For DNSBL to work, we need the pfsense to act as the only DNS server, this means that all DNS queries must be resolved by the pfsense. To do this, we just need to add a floating firewall rule.

To add the rule, move to Firewall–>Rules–>Floating–> and then press the Add button with the Upward Direction Arrow, and add the following details.

Having Problems? Here is more for further assistance.

• Action: Block.
• Quick: Apply the action immediately on Match, make sure to enable this setting.
• Interface: Select all interfaces such as LAN and VLANs if applicable but make sure that you do not select a WAN interface.
• Address Family: IPv4
• Protocol: UDP & TCP, as DNS uses both protocols.

• Source: any.

• Destination: Select the Invert match check box, and select This Firewall self. This will block all DNS traffic that is going to External DNS Servers and allow pfsense to act as the sole DNS server.

• Destination Port range: 53.

Once the following information is entered select Save and then Apply Changes.

Install and Configure pfBlockerNG Devel Version

Make sure to update pfsense before installing pfblockerng, make sure to install the pfBlockerNG-devel package, the package is easy to configure, and also has updated features.

To install, go to Systems>Package Manager and then select Available Packages and then in the Search term field, type in pfblocker, install the pfBlockerng-devel package.

Having Problems? Here is more for further assistance.

Configuring pfBlockerNG Devel Version

In order to block ads through pfsense, we need to do a bit of configuration in pfblockerng.To configure, go to Firewall>pfBlockerNG this will take you to the welcome screen, now select Next to start the wizard.

The configuration has two portions IP & DNSBL. while the IP portion adds the firewall rules to block outgoing traffic to any offender destinations, and the DNSBL portion utilizes the Pfsense DNS Resolver service to block Ads and Malware, press Next to move to the next screen.

On the next screen, select the interfaces as follows:

• Select Inbound Firewall Interface: Select only WAN interfaces, I am using multiple WAN interfaces so they are selected. If you have a single WAN interface then choose WAN.

• Select Outbound Firewall interface: Select only Lan or Vlan interfaces, I am using multiple VLAN Interfaces so they are selected, I have not selected VPN and Lagg interfaces as well. If you have a single LAN interface then choose, LAN. DO NOT CHOOSE ANY WAN INTERFACE !!!

Press Next to move to the pfBlockerNG DNSBL Component Configuration page.

DNSBL Web Server Configuration

The above screen is about configuring a web server for the DNSBL portion, while VIP Address 10.10.10.1 is a virtual IP address used by the DNSBL service.

You need to make sure that this address is not in use or overlaps with any of your local networks such as LAN.

This VIP address is not only utilized as a web server address but is also used as a sinkhole address. This sinkhole address drains all malware domain names and ads.

If by any chance DNSBL cannot utilize this address then it won’t be able to block ads.

In case you are already using this IP address in your network then move this VIP address to some Unique Subnet/Address. If all is well? then select Next to finish the installation.

Note: For this tutorial, I am using the VIP address to be 10.90.90.90, because the default VIP address overlaps with one of my network subnets.

Having Problems? Here is more for further assistance.

Configure pfBlockerNG DNSBL Portion

Once the installation is finished, it’s time to block the ads by configuring the DNSBL portion. As you press the Finish button on the installation wizard screen, it will take you to the Update screen.

On the update, screen pfblockerng auto-updates its DNSBL database and finishes the necessary settings. Now from the Update screen please move to General Section Tab.

Keeping the General Section settings at their default is a good idea, so better not to change anything unless necessary. Make sure not to uncheck the Keep Settings checkbox, because if it’s unchecked while you upgrade or downgrade your pfblockerng package then any previous settings will be lost.

The pfblockerng is an awesome tool and it’s created by the BBcan177 group. So if you like to donate? then they have a Patreon Campaign Page just for you.

After completing the General Section, move to the DNSBL section.

As you can see, this section is composed of multiple sections, next, scroll down to the Dnsbl Configuration subsection.

Next, select the check box to enable the “Permit Firewall Rules setting“, and also select an interface from the list, this creates a floating firewall rule which allows traffic only through this interface to access the DNSBL web server at the VIP address:port.

Next, press the Save DNSBL settings button to save the configuration.

DNSBL Feeds

The DNSBL portion works with feeds. where feeds are the list of reported domains for Ads, Malware, Adult Content, Gambling, etc. It also comes with default feeds that can be customized as desired.

As of the time of writing this content, my pfsense uses version 2.6.0 Release. This comes with some pre-configured blocklists (Feed) for Ads. In order to check the default configured feed select DNSBL>DNSBL Groups.

As you can see a default feed is selected. There are lots of DNS feeds or blacklists available on the internet claiming to be the best. As per my finding, the pfsense default list is the best.

Steven Blacklist Feed

The following feed is a part of Steven Blacklist and it is the best-maintained blacklist database on the internet. When we install Pfsense pfblockerng this list is set to active and starts blocking ads. There are further lists related to Steven Black List which can be used to stop malware, gambling, etc. In order to add more feeds from the Steven Black List database select Feeds.

The page carries a lot of information. It carries information for both IP and DNSBL but we only need DNSBL information. So scroll down until you reach the start of Category on the left is equal to DNSBL.

The highlighted Steven Blacklist has a tick mark because it’s the selected list.

Now click Steven Black which will take you to Steven Black’s Github Maintained Lists page. Once you see the page just scroll down until you reach the following section of the page.

The top list (in green) is already been added to dnsbl. Now let’s add another list by the name, unified hosts +fakenews+gambling+prn. To add this list copy the link address and then go to DNSBL>DNSBL Groups and then select Add. After this add the following as shown.

Name/Description: as shown in the screenshot

Under DNSBL Source Definitions set State to ON and copy the link address in the Source field and add the Header/Label as shown. After this select Add and then select Save DNSBL Settings.

After this select DNSBL>DNSBL Groups again and add the following settings as shown.

As shown on the screen select Unbound and Once a day from the respective drop-down list and then select Save.

The settings will only take effect once the DNSBL portion is reloaded, so go to update and select, Reload and DNSBL and then select Run as shown.

After reloading it will start blocking ads automatically.

Having Problems? Here is more for further assistance.

Whitelist Domains

You can always whitelist some domains if you face any problems after completing the configuration.

For whitelisting a domain, go to the DNSBL section then scroll down to the DNSBL Whitelist subsection, then you can add any domain address that you think should not pass by DNSBL checks.

DNSBL Reporting

The DNSBL comes with remarkable reporting, the reporting has many sections that give granular information about the block domains, to see reporting go to Reports>DNSBL Blocked Stats.

Ad Block Testing And Verification

Once you are done with the configuration, then it’s time to test. If you have added the feed to block ads along with gambling and Adult Content, then trying to browse any Adult Content or Gambling Site will output this screen.

If you browse yahoo.com then your pfsense will block ads and you will not see any ads on the right side of the page, which means that your configuration is a success.

Next to Read:

How to access the pfsense web interface from wan using ssh tunnel