/etc/hosts

[rgo]

Is there a simple way to append the host file with a block list?  I want to add to host file a block list from a url of someonewhocares.org/hosts/

Every time I reboot I haft to go back in and redo the host file.  Before I go and break OpnSense to force the host file is there a way to load all these sites into OpnSense with just one simple command?

Do I have to redo the startup scrips to pull the file and then combine it with the system host file and make a new host file and replace the system host file then let OpnSense come up!  Is that the only option?

[Alphakilo]

I don't think that's possible on OPNsense, or advisable either.
Messing with the hosts file isn't a good idea IMHO, unless you absolutely want to hijack a hostname on one machine.

Resolving possible adverse domains as an loopback IP is a terrible idea, for many reasons. Letting your Firewall do that is even worse.
Loopback traffic is, more often than not, trusted absolutely.

Consider pi-hole (no, it does not require an raspberry pi).
It let's you use multiple upstream DNS providers (with DNSSEC *and* DNS-TLS no less), enables you to do extensive audits (names resolved per host), it imports pretty much any listformat you want to feed it. And as a cherry on top: you can actually analyse the traffic that would have went to the these domains otherwise.

It's absolutely marvelous. And has a very nice webinterface.

In my setup I use pi-hole as my only egress DNS service. Even my OPNsense resolves via pi-hole.
Unless an host in my domain is resolved. Then the pi-hole forwards the request to the OPNsense unbound.

I have two redundant pi-holes that are being offered as DNS servers via DHCP Options.

This has major advantages. Think about it this way: no program or app is actually forced to use the OS (and it's settings, i.e. hosts-file) for domain resolution. Sure it's best pratice. But if I wanted to exfiltrate your ... cat pictures from your network or serve you malware?
I'd implement an resolver in my program / dropper, rendering your hosts-file (or other DNS resolvers) moot.

With my setup I can block all DNS traffic to WAN, that doesn't originate from either pi-hole (and have Surricata block / flag traffic on non-standard ports). In fact, I treat that traffic as an IoC (indicator of compromise, i.e. active malicious program or actor on my network).

[rgo]

I understand what you are getting at, all tho I do not see a good way to keep it all inside OpnSence.  I want to keep away at all cost from having multiple systems to deal with all network stuff.  Just have one system to deal with everything.

From my research last night, it appears this is about the only viable option in the URL link below.

https://devinstechblog.com/block-ads-with-dns-in-opnsense/

This is using OpnSense own systems.  Could be the best way to go.  I do understand your pi-hole idea but you have 2 systems dealing with network traffic where I need to keep this to 1 system.

[Davesworld]

You mean like a hosts.deny list?

Also how you use such a list matters where the people you are denying are located, eg lan or wan. From the wan it's best to drop everyone unless you have ports forwarded that will be seen, even then it is best to drop rather than reject specific addresses so you appear to not exist to them.

Who are you trying to prevent from doing what exactly?

[rgo]

I am looking to use the lists in both directions.  If anything on the LAN side tried to go out drop it.  If anything from the WAN tries to come in then drop it.

I have not had time to try out my idea.  I might test it out today and see if I can make the link I posted to work.

[unclez]

Hi,

I am in the same situation. Mainly I'd like to exactly block ADs and trackers when my clients behind the firewall are surfing the web.
Apparently the best (and only) way is to work on the hosts file.

The link posted a couple of posts back is the way to go apparently.

Please let me know if you have any progress on this.

Thanks!!

EDIT: I tried to use the guide on link https://devinstechblog.com/block-ads-with-dns-in-opnsense/ but the script creates at the end an empty list and anyway unbound does not like when I add the "include" option and it stops working. I do not have time to investigate now, unfortunately.

[Evil_Sense]

Hi,

I am in the same situation. Mainly I'd like to exactly block ADs and trackers when my clients behind the firewall are surfing the web.
Apparently the best (and only) way is to work on the hosts file.

The link posted a couple of posts back is the way to go apparently.

Please let me know if you have any progress on this.

Thanks!!

EDIT: I tried to use the guide on link https://devinstechblog.com/block-ads-with-dns-in-opnsense/ but the script creates at the end an empty list and anyway unbound does not like when I add the "include" option and it stops working. I do not have time to investigate now, unfortunately.

Script works perfectly fine for me..

[Davesworld]

As far as web filtering, that's what the proxy and acl is for. I point the proxy acl to shalla and then choose the categories. Then I set up the proxy acl to update and apply the new list once per week. The way you are going about this is not only a resource hog but gets outdated quickly, rather clunky and crude. In the beginning of the public internet I would have done it your way, now there are just too many hundreds if not thousands of malicious sites which change constantly.

[Evil_Sense]

As far as web filtering, that's what the proxy and acl is for. I point the proxy acl to shalla and then choose the categories. Then I set up the proxy acl to update and apply the new list once per week. The way you are going about this is not only a resource hog but gets outdated quickly, rather clunky and crude. In the beginning of the public internet I would have done it your way, now there are just too many hundreds if not thousands of malicious sites which change constantly.

Well I created a cron job task and added some more sources to the script, so I got that going for me.

[bitman]

to block ad's just use these DNS servers;

2a00:5a60::ad1:0ff

2a00:5a60::ad2:0ff

176.103.130.130

176.103.130.131

from https://adguard.com/en/adguard-dns/overview.html

[rgo]

That is a good option but I will still do host file.  Planning on trying my idea this weekend and will report back how it works and how I made it work too!  If I am successful...

https://1.1.1.1/ from Cloudflare might be an option too.

Will report back next week.