Interesting reports from pfBlockerNG for my TrueNAS CE server

trionic · June 17, 2025, 7:34pm

Recently set-up a pfSense server on my network and then pFBlockerNG.

These are the DNS blocklists installed into pfBlockerNG:
ADs_Basic https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
HaGeZi_DNS_Blocklists https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/pro.txt

And these are some of the domains that pfBlockerNG blocks TrueNAS CE 24.10.2.2 from making:

cdn.adfinity.pro
intrustedzone.site
mc.yandex.ru
static.cloudflareinsights.com
statika.mpsuadv.ru
tong.8888888888.bid
vak345.com

cdn.adfinity.pro?
tong.8888888888.bid?
etc

No there’s no malware on any computers or on my network and I do not believe that these are false positives.

Anyone else seeing these reports from pfBlockerNG or equivalent?

What gives?

pmh · June 17, 2025, 7:55pm

I run AdGuard Home here and I do not see any queries for any of these domains from any of my clients including TrueNAS CE.

Queries from any app will appear to come from the TN host - any candidates?

Vollans · June 17, 2025, 9:13pm

No, not seeing anything like this on my pfSense install either.

afrosheen · June 18, 2025, 1:16am

Got any Chinese alibaba mystery hardware on your network? Generally those cdn’s are content delivery networks, pushing data from the edge, locally, at high speed.

I’ve been seeing weird stuff in my logs too, but I have some junk that should probably live on a vlan like a vesync air purifier that phones home and crap like that.

trionic · June 18, 2025, 5:08am

Your answers confirm my surprise as I did not expect to see such things emanatingfrom TrueNAS itself. Been using it since FreeNAS 9.3 and there’s nothing else I would want to use.

Good to hear that those running software similar to pfBlockerNG are not seeing such logs and that these attempted connections will be from something else running on the TrueNAS host.

I am running a few Docker containers:

dockge (with the usual *arr stack for “all those Linux ISOs” )
dozzle
emby
freshrss
glances
immich
it-tools
nginx-proxy-manager
open-speed-test
scrutiny
syncthing

All Docker containers share the same IP (apart from Nginx) and are accessible via an individual hostname thanks to HAProxy (I am a software developer but shamefully, a bit of a networking n00b). No ports open to the outside world.

No mystery Chinese hardware. I know it’s all the rage at the moment but I have been disinclined to follow along with the trend.

2x 2019 MacBook Pros
A QNAP TVS-h1688X which is running TrueNAS CE 24.10.2.2 (maybe that counts as mystery hardware)
“My first ZFS server”: a 2014 homebuilt 4U 24-bay chassis built around a Supermicro X9SRH-7F motherboard) but that’s mostly powered off
Dell PowerEdge R210 II with an Intel NIC running pfSense
Samsung SGS9+
Cisco SG300 switches
No IoT

Thanks all for the responses. I’ll doo some sleuthing to track these connections down to an individual Docker container or something else, and then report back.

etorix · June 18, 2025, 9:22am

…from very respectable sources, surely.

trionic · June 18, 2025, 1:45pm

Impeccable

pmh · June 18, 2025, 1:47pm

Hey, bud!