pfBlockerNG Setup Guide: DNS Ad-Blocking and Threat Intel on pfSense
Install and configure pfBlockerNG on pfSense to block ads, trackers, and malicious domains network-wide using DNS. Covers DNSBL feeds, IP reputation blocking, and tuning false positives.
pfBlockerNG is the most powerful package available for pfSense — it combines DNS-based ad/tracker blocking (like Pi-hole) with IP reputation blocking (geo-blocking, threat intel feeds) in a single pane of glass. This guide covers setup from zero to a working multi-feed DNSBL configuration.
Install pfBlockerNG
System → Package Manager → Available Packages → search pfBlockerNG-devel → Install.
Use the devel variant — it’s more actively maintained and required for DNSBL functionality.
After install: Firewall → pfBlockerNG.
Run the setup wizard
On first load, pfBlockerNG offers a setup wizard. Accept the defaults for:
- pfBlockerNG interface: WAN
- Inbound firewall rules: ✓ (blocks inbound threats at the WAN)
- DNSBL: ✓ (enables DNS sinkholing)
- DNS resolver integration: ✓ (pfBlockerNG takes over unbound)
Configure DNSBL feeds
Navigate to DNSBL → DNSBL Feeds → Add:
Recommended free feeds
| Feed name | Source | Category |
|---|---|---|
| Hagezi Threat Intelligence | https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt | Ads + Malware |
| Steven Black Unified | https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | Ads + Tracking |
| URLhaus | https://urlhaus.abuse.ch/downloads/rpz/ | Malware URLs |
| EasyList | via pfBlockerNG built-in | Ads |
| OISD | https://big.oisd.nl/ | Comprehensive |
Add each feed:
- State: ON
- Action: Unbound
- Update frequency: Every 4 hours (or Daily to reduce load)
- List action: Deny Both (blocks inbound and outbound DNS to matching domains)
Configure IP reputation blocking (optional)
DNSBL → IP Reputation → GeoIP:
- Register for a free MaxMind GeoLite2 account (required since MaxMind requires an API key).
- Enter your MaxMind license key in pfBlockerNG → General → MaxMind.
- In IP → GeoIP Profiles, add a block rule for high-risk country groups if needed.
Reputation feeds:
- Emerging Threats (ET) — free IP block lists for known bad actors
- Spamhaus DROP — includes SBL, XBL (requires registration)
Update and force sync
After adding feeds:
- Firewall → pfBlockerNG → Update → Run
- Select: Update mode → Execute
Wait for the download to complete. Check the log for any failed feeds.
Verify it works
From a LAN device:
nslookup doubleclick.net 192.168.1.1
# Should return: 0.0.0.0 (sinkholed)
nslookup google.com 192.168.1.1
# Should return: real IPBrowse to a site heavy with ads — they should disappear.
Tuning false positives
If a legitimate site is being blocked:
- Check DNSBL → DNSBL Alerts for recent blocks.
- Go to Firewall → pfBlockerNG → DNSBL → Whitelist, add the domain.
- Run an update to rebuild the blocklists.
Dashboard widgets
Diagnostics → pfBlockerNG → Dashboard shows blocked requests, top blocked domains, and feed health.
Comparing pfSense vs OPNsense ad-blocking? OPNsense uses Adguard Home plugin; pfBlockerNG is more tightly integrated. See firewallcompare.com ↗ for a side-by-side.
Related
pfSense Initial Setup: Complete Installation Guide (2026)
Step-by-step walkthrough for installing pfSense CE or pfSense Plus on a Protectli vault or mini-PC, covering interface assignment, WAN/LAN configuration, and first-boot hardening.
pfSense VLAN Configuration: Segment IoT, Guest, and Trusted Networks
How to create and enforce VLANs on pfSense to isolate IoT devices, guest Wi-Fi, and your trusted LAN — with firewall rules that block inter-VLAN traffic by default.
Best Hardware for pfSense in 2026: Netgate, Protectli, and Mini-PC Options
Tested hardware recommendations for running pfSense CE and pfSense Plus: official Netgate appliances, fanless Protectli vaults, and refurbished mini-PCs — with throughput data and price tiers.