Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
While I was away, someone asked me about pfSense DNSBL whitelisting, so I wanted to share a tutorial for it.
pfSense DNSBL Whitelisting – Introduction
First, you might want to perform whitelisting if DNSBL is blocking a domain that you want access to.
Instead of removing a feed that you have subscribed you, you can whitelist a specific domain.
Note that pfBlockerNG’s DNSBL does not support wildcard domains. This means that you need to whitelist subdomains individually.
Get Your NordVPN Offer Now!Blocked Page
First, we need to find a blocked page. For my example, I’m going to use http://id.google.com/.
To verify that pfBlockerNG blocked the domain, we can visit the site in a browser.
If it is an SSL connection, then your browser will display a certificate error. This is due to the pfSense SSL certificate being self-signed.
Over plain HTTP connections, your browser will replace the page with a 1×1 pixel image.
If the page is loading an external script, then you can also notice the errors in your developer console. Note that this screenshot isn’t for id.google.com, but a different page.
Finally, you can also view what pages that DNSBL has blocked in the logs. You can find these under Firewall -> pfBlockerNG -> Logs -> dnsb.log
DNSBL Reject HTTPS,Mar 13 21:35:50,id.google.com
Performing the Whitelisting
First, to add a domain to the whitelist, go to pfBlockerNG -> DNSBL -> DNSBL -> Custom Domain Whitelist.
At the bottom of the list, add the domain you’d like to unblock and click Save. In this case, I just added id.google.com.
Next, you need to reload the filters. To do this go to Update -> Reload and select Reload and DSNBL.
After a little time (depending on how many feeds you have), the reload will complete.
Verifying the Whitelist
To verify that the whitelisting was successful, attempt to reload the page. This is best done in an incognito window, to make sure that your browser hasn’t cached anything.
pfSense DNSBL Whitelisting – Conclusion
While I was unable to unblock the specific request (Politico comments), hopefully this explains how to perform DNSBL whitelisting.
Some sites you will have to unblock many different domains, just because of external scripts.
Let me know if you have any questions or comments about this technique, and hopefully it helps!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
6 Comments
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Thanks for taking the time. There is bad info out there. Someone said Wildcarding was permitting and I couldn’t figure out why it didn’t work. When I read your explanation and I removed the wildcard it started working, so thank you!
I’m glad that helped you! Don’t worry, I tried it myself a few times and was wondering why it wouldn’t work.
Thanks for every other fantastic post. Where else could anybody get that
type of info in such an ideal way of writing?
I have a presentation subsequent week, and I am at the look for such info.
Thanks for that! As far as writing like this, I’ve just sort of improved slowly over time with repetition.
Is there to create a list of UNBLOCK sites similar to those BLOCK sites list so I can simply update the list without going to the custom whitelist?
I wish there was, but you have to manually add sites to the custom white-list for now. SUPER annoying.