Khoji InfosolutionKhoji InfosolutionpfSense · Netgate · Network Security
Home/Domain Block Generator
Free Interactive Tool

Block or Allow any domain on pfSense — in 60 seconds

Enter a domain below and we'll resolve its live IPs, generate a ready-to-paste pfSense Alias + Firewall rule, a DNS Resolver override, a pfBlockerNG feed, and the raw pfctl CLI commands. Works with any public domain.

Popular:

Analysis for facebook.com

🚫 Block
-
IPv4 addresses
-
IPv6 addresses
-
TTL (seconds)
-
IP churn risk

Resolved IPv4

Method 1 — IP Alias + Firewall Rule

Best for a fixed-IP service. Creates a reusable IP alias and a rule that references it. Fast, deterministic, easy to audit.

pfSense Alias
...
Firewall Rule (LAN)
...

How to apply

Create the alias

Open the aliases page and add a new Host(s) alias with the IPs above.

Firewall › Aliases › IP › Add

Paste the IPs

Use the Name from the alias code block above. Paste each IP on its own row. Each IP can have the domain as its description for audit logs.

Create the firewall rule

Add a new rule on the LAN (or whichever inside interface your users are on) that references the alias.

Firewall › Rules › LAN › Add

Place the rule at the top

Drag the rule above your default allow-LAN rule so it gets evaluated first.

Apply changes

Click the orange Apply Changes banner at the top. Blocking is immediate for new connections.

Method 2 — DNS Resolver Host Override

Best for CDN-hosted services with rotating IPs. We sinkhole the domain to 0.0.0.0 so no matter which IP the CDN is using, clients can't resolve it.

DNS Host Override
...

How to apply

Go to DNS Resolver settings

Services › DNS Resolver › General Settings

Scroll to Host Overrides

Click Add to create a new override.

Fill in the values from the code block

Host: the subdomain (leave blank for root). Domain: the main domain. IP: 0.0.0.0 (sinkhole). Description: Block <domain>.

Save and apply

Click Save, then Apply Changes. Flush client DNS cache (ipconfig /flushdns on Windows) to see the effect immediately.

(Optional) Block DoH

Add a firewall rule that blocks DNS-over-HTTPS traffic (port 443 to known DoH resolvers) so clients can't bypass your DNS.

Limitation DNS override only works if clients use pfSense as their DNS resolver. Laptops with hard-coded 8.8.8.8 or Windows 11's default DoH will bypass this — which is why Method 1 + 2 combined is strongest.

Method 3 — pfBlockerNG DNSBL

Enterprise-grade blocking with 50,000+ categorised domains (ads, malware, adult, social, gambling). Install pfBlockerNG from the package manager first.

Custom DNSBL Feed
...

How to apply

Install pfBlockerNG

System › Package Manager › Available › pfBlockerNG-devel

Create a custom DNSBL group

Firewall › pfBlockerNG › DNSBL › DNSBL Groups › Add

Set feed source to "Custom_List"

Paste the content from the code block above into the Custom List text area.

Assign to LAN

Under List Action set to Unbound and save.

Force-reload

Firewall › pfBlockerNG › Update › Force › Reload (All)

Method 4 — pfctl CLI (one-off / emergency)

Fastest way to block an IP during an incident. Changes are ephemeral — lost on reboot unless baked into the ruleset. Great for on-call response.

SSH session · root@pfsense
...

How to apply

SSH into the firewall

Use the admin account with public-key auth. See our hardening guide Step 7.

Select option 8 — "Shell"

The pfSense console menu; gives you a full FreeBSD shell.

Paste the commands above

Each command adds an IP to the blocked_ips table used by your alias.

Verify

Run pfctl -t blocked_ips -T show to confirm the IPs are in the table.

Persist

Changes are in-memory only. For permanent blocks, add to an alias in the WebGUI (Method 1) so they survive reboots.

Need this applied across 5+ sites?

We'll do it for you — properly

Bulk domain blocking, scheduled rules (social media during work hours), per-user VLAN policies, and ongoing AMC — talk to our engineers.

Call +91 98032 34383 WhatsApp Us Contact Form →