
- The ASNs, IPs, and domains may not suit you. REVIEW the dnsmasq list before deploying, particularly section 2 (explained below). We are pretty strict on our networks, you may not want to be.

- You should block both incoming and outgoing connections to these subnets. If you use pfSense, this means you should setup Aliases for each of the lists you want to use, then build 'Reject' rules for outgoing on your LAN and 'Block' rules for incoming on your WAN. Instructions for pfSense can be found below.

- Please don't pull these lists more than once per week. The DNSMasq list is updated as tracking URLs are found (maybe once per week) and the IP and ASN lists are rebuilt once every 2 or 3 months IF new IPs are discovered or old IPs are removed.

- pfSense: The end of this README has instructions for setting up aliases and firewall rules for LAN and WAN rules for these lists.
  * Files that start with 'x-alias-' are meant to be imported as an alias in pfSense. You then block connections to that alias under the LAN tab under firewall settings.


*******
DNSMASQ
*******
**This list is usually updated once or twice per month.**

You will need to manually edit a few lines in this list before you can use it on your own network. See section explanations below.

Please review this list carefully before deploying. If you use this list and find you get a blank page or an "Unable to connect" message in your browser while surfing the web, this list probably null routed what you were trying to view. If you absolutely trust the site in question, find the domain and in this list and remove the line. Use the compare feature in your text editor to view differences when making mass edits.

This list is spaced into 4 sections ...

- SECTION 1: A bogus-nxdomain is an untrusted dns server - most ISP DNS servers should NOT be trusted. Most ISPs intercept DNS even when you use 3rd party DNS servers. If you use 3rd party DNS (like OpenNIC servers), add your ISP's DNS servers as bogus-nxdomains here to prevent malicious redirection. If your ISP happens to be Mediacom, we have already done this for you, though you may find more. If you do, add them to the list. If you have a different ISP (very likely) replace our entries with your own. You can add as many of these as you need to suit your ISP, one IP per entry. *Caution, if you rely on injected messages from your ISP (shame on you!) don't use any bogus-nxdomain entries.
** Ideally, you shouldn't use standard DNS anyway - look into DNSCrypt and a non-logging encrypted DNS server that supports DNSCrypt queries. We like OKTurtles and OpenNIC. OpenDNS supports DNSCrypt (they invented it), but they log all requests and keep them indefinitely. Also consider running all of your DNSCrypt queries over a VPN. **

- SECTION 2: These are common sites (Google and Yahoo) and social networks we don't want any devices on our LAN to access purposely or accidentally, especially while visiting unrelated sites. If you use social networks or Google or Yahoo services (shame on you!), just delete the entries for the sites you use or delete this entire section before deploying.

- SECTION 3: These are Microsoft's Telemetry and Tracking URLs. This section will not hinder your use of MS Windows or MS updates, but it will keep MS from gathering too much data about you. This is particularly important if you use Windows 8, 8.1, or 10. *If this breaks some functionality you have been using in Windows, then you need to rethink your privacy.

- SECTION 4: The really BIG section - over 45,000 entries. This section contains ad, tracking, beacon, and malware servers not listed in section 2. These are uncommon sites that serve ads, subdomains of common sites that serve ads, or known drive-by malware injection sites. The original list was pulled from yoyo.org's ad server list, but has been heavily modified and has deviated substantially from yoyo.org's list over time. You really should not worry about legitimate domains or subdomains in this section - allowing any of it will not benefit you in any way and keeping this section as-is will not affect your browsing. It will simply add a little protection from malware and block a lot of ads network-wide.

** As this list is updated, we also update a companion info file (dnsmasq.updates.txt) that lists all additions with date added that we make or have made since August 2014. We regret we didn't start this update info sooner, but before we hadn't considered sharing any of our lists before then. This file isn't meant to be imported or machine-parsed, it is simply so you can see our latest changes to make sure you don't blindly add a site to your list that you intend to visit.

-------------------------------
Sample Null Routing Rule Syntax
-------------------------------
address=/facebook.com/127.0.0.1 
- will null route facebook.com and all subdomains, such as www.facebook.com and photos.facebook.com

address=/photos.facebook.com/127.0.0.1 
- will null route photos.facebook.com and abc.photos.facebook.com, but NOT facebook.com or www.facebook.com or abc.facebook.com
-------------------------------

** IMPORTANT ** - Except for the very last entry, each entry has an intentional space after it. Do not remove the space. If you add your own entries, make sure you add a space after each one. The very last entry must NOT have a space after it.

To implement these Dnsmasq rules in pfSense:
--- Services>DNS Forwarder: List should be entered manually (copy/paste) into the "Advanced" box.
** Since version 2.2, pfSense still includes Dnsmasq but shifts the default to DNSResolver. We still recommend Dnsmasq over the new resolver. DNS Resolver can be disabled and Dnsmasq can be enabled instead.

To implement these Dnsmasq rules in Linux:
--- Create a blank file called dnsmasq-rules.conf somewhere on your machine, paste the contents of this dnsmasq.txt file into it, then reference it at the end of your main dnsmasq.conf file (usually /etc/dnsmasq.conf) as seen below (replace "username" with your username if you placed the new file in your home directory). The /etc/dnsmasq.conf file must be edited as root:
############################################
# Include another configuration file ...
conf-file=/home/username/dnsmasq-rules.conf
############################################
** We actually use a separate DNS server on our LAN (Linux) instead of using pfSense as our DNS server. We also setup DNSCrypt on this server to provide encrypted DNS queries from upstream DNS servers. We still block standard DNS requests outside of the LAN. DNSCrypt does not use standard DNS ports. While possible, it's very unlikely any of your users will know or even understand this. In case one or more of them do understand this, you can setup firewall rules to block common external DNS servers by IP (external.dns.txt) and only allow your internal DNS server access to those outside upstream servers.

*** If you want to prevent your users from using outside DNS servers that bypass your Dnsmasq rules, you must create firewall rules to prevent that. In pfSense, create a firewall rule to allow DNS requests to the pfSense box LAN address, and below that create a rule to block DNS requests from LAN to "Any" address. Firewall rules are processed in order from top to bottom. All devices and computers on your LAN should use your pfSense box (or separate DNS server) for DNS. Also note that most media devices like Roku, AppleTV, BluRay players, game consoles, etc. try to use hard-coded DNS servers first. We need to force them to use YOUR DNS server by blocking general DNS queries outside of your LAN.

pfSense: To setup a firewall rule to allow DNS requests to the pfSense box from devices on your LAN:
--- Firewall>Rules>LAN
--- Click the + sign to add a new rule
--- Action: "Pass"
--- Interface: "LAN"
--- Protocol: "TCP/UDP"
--- Source: "Any"
--- Destination>Type: "Single host or alias"
--- Destination>Address: type in your pfSense box LAN IP address (ie. 192.168.1.1)
--- Destination port range: "DNS"
--- Log: do not check
--- Description: Give your rule a short but meaningful name (ie. Allow DNS to pfSense)

pfSense: To setup a firewall rule to block DNS requests everywhere else:
**** This rule goes BELOW the previous rule ****
--- Firewall>Rules>LAN
--- Click the + sign to add a new rule
--- Action: "Block"
--- Interface: "LAN"
--- Protocol: "TCP/UDP"
--- Source: "Any"
--- Destination: "Any"
--- Destination port range: "DNS"
--- Log: check if you want to see who is trying to bypass your DNS in your logs (Status>System Logs>Firewall)
--- Description: Give your rule a short but meaningful name (ie. Block Internet DNS)
--- Click "Save", then click "Apply Settings"

In addition, you can use the external.dns.txt list to block LAN access to IPs of common 3rd party DNS servers using the IP Block List instructions below.


********************
IP / ASN BLOCK LISTS
********************
** These lists are updated once every 2 months. **

Raw subnet lists for pfSense URL Table aliases.

These lists contains IPs that we do not want anything on our LAN (home or office) to initiate contact with - mostly social networks.

Instructions for using these with pfSense can be found below.

** Do not use these in front of public facing servers (ie. web server, mail server, etc). These lists are for small office or home networks without critical public facing services behind the firewall. **

By default, pfSense blocks all incoming connections on the WAN interface(s). However, if a connection is initiated from inside the LAN, the firewall allows outside content in from the WAN for those connections. The connection may remain open in both directions for some time. We want to prevent this for some sites. In general, we want to prevent any connection to or from certain sites from our home or office network, like social networks.


************************
SETUP pfSENSE WITH LISTS
************************
To setup an Alias for LAN Reject or WAN Block:
--- Firewall>Aliases
--- Click the + sign to add new alias.
--- Give the alias a name - you may only use a-z, 0-9 and _. No spaces. (ie. Facebook_1)
--- Enter a description if you want (ie. Facebook AS32934)
--- For "Type" choose URL Table.
--- Enter the URL for the list of addresses to use (ie. https://refugedenied.com/lists/facebook.as32934.txt)
--- Set the frequency in days to check for updates (30)
--- The note is optional.
--- Click Save
--- Click Apply Settings
*** You must setup a new firewall rule to include the alias (see below).

To setup a LAN Reject Firewall Rule (keep you computers from accessing bad sites)
**** By default, pfSense allows all outgoing connections from your LAN ****
--- Firewall>Rules>LAN
--- Click the + sign to add a new rule
--- Action: "Reject"
--- Interface: "LAN"
--- Protocol: "Any"
--- Source: "Any"
--- Destination>Type: "Single host or alias"
--- Destination>Address: choose the name of the alias you created
--- Destination port range: "Any"
--- Log: check if you want these "rejects" to show up in your logs (Status>System Logs>Firewall)
--- Description: Give your rule a short but meaningful name (ie. Reject outbound Facebook, or Reject external DNS, etc)
--- Click Save
--- Click Apply Settings

To setup a WAN Block Firewall Rule (block baddies from getting in to your network)
**** By default, pfSense blocks all incoming connections on your WAN ****
--- Firewall>Rules>WAN
--- Click the + sign to add a new rule
--- Action: "Block"
--- Interface: "WAN"
--- Protocol: "Any"
--- Source>Type: "Single host or alias"
--- Source>Address: choose the name of the alias you created
--- Destination: "Any"
--- Destination port range: "Any"
--- Log: check if you want these "blocks" to show up in your logs (Status>System Logs>Firewall)
--- Description: Give your rule a short but meaningful name (ie. Block inbound Tumblr)
--- Click Save
--- Click Apply Settings

Recommended pfSense System Log Settings
--- Status>System Logs>Settings
--- GUI Log Entries to Display: 1000
--- Log Firewall Default Blocks:
   -- Log packets blocked by the default rule: Check
   -- Log packets blocked by 'Block Bogon Networks' rules: Check
   -- Log packets blocked by 'Block Private Networks' rules: Check
--- Web Server Log: Check
--- Raw Logs: Unchecked
--- Forward/Reverse Display: Check (I like to see newest first)
--- Filter descriptions: "Display as column"
--- Local Logging: Check
--- Click Save


--EoF--