Ways to block adult content on an SG1100

orangehand

It seems that the SG11 is saimply too puny to coope with the 2 built-in lists, so what are the alternatives please? It seems to be FAR too complicated and arcane. I've set the DNS to 1.00.3 and its twin and forced all DNS requests to the pfsense box but that's not working at all! I can get to pornhub no problems

Gertjan

@orangehand said in Ways to block adult content on an SG1100:

You mean this 1.0.0.3 mentioned here : https://blog.cloudflare.com/introducing-1-1-1-1-for-families/ ?

Dono if its any good, never tested it. It a free service, so you have to take it as it is.

@orangehand said in Ways to block adult content on an SG1100:

I can get to pornhub no problems

Just to be sure :
Your device has to use DHCP, so it gets a lease from pfSense. This lease will also tell your device to use the DNS pfSense offers to your network.

And now it comes : you, (your family, everybody) as a device owner, can install any browser he or she wants. And guess what : this browser, by default, will most probably not use the system's DNS, but its own "DoH DNS solution", completely bypassing the DNS of your pfSense.
There are even DNS solution that go out over port 443, TCP. That's the classic https:/// port protocol access. Blocking all "port 443, TCP" isn't possible as this blocks every web site on the planet.

This is the default setting of a browser that I use myself :

which means : it will open a TLS protected 'channel' DNS request to "whatever Firefox has decided for you". This can be any DNS upstream server, but certainly not pfSense.

This settings should be set to Off, of course.
This settings can be set and reset, and modified by the device owner.
And they will find this settings as soon as they discover that "something" is doing something with their DNS requests - like : not showing the site they want to see.

All this means that, if you really want that people that use your network do not go to sites you don't want them to go, you have to check their devices .....

The next best solution is : it's known what DNS services Firefox, and Chrome, etc etc are using.
So : install pfBlockerng - don't add any DNSBL, just activate here Firewall > pfBlockerNG > DNSBLDNSBL > SafeSearch :

This list will get updated if needed (new pfBlockerng version I guess).

You could also activate the first two options.

One last thing : as soon as it is known that you, as a router (pfSense) blocks 'hosts', your network connected clients will get their hands on a (example) prepaid SIM card, and just don't use your network anymore.
You'll think everybody is behaving fine ... and actually you completely lost control.

edit : this last suggestion will work just fine on a 1100.

stephenw10

Additionally you need to set the DNS Resolver to forwarding mode in Services > DNS Resolver in order to actually use the servers you set in General Setup.

Try a test from Diag > DNS Lookup to make sure it's using those servers and no others.

Steve

orangehand

@stephenw10 As ever, many thanks!