Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Domain keep changes IP

    Firewalling
    6
    8
    410
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scorpoin
      last edited by

      Greetings,

      I have set a rule for my lannet to block a domainname , it does work for few minutes and then again start response when I ping the domain it shows me a new IP :/ . Is there any way to handle this block domain no matter what ip it resolve to?

      Regards

      Bob.DigB johnpozJ 2 Replies Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @scorpoin
        last edited by

        @scorpoin What domain is it? If it is behind a CDN it is very hard.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @scorpoin
          last edited by

          @scorpoin you can do it with a host override pointing this fqdn to some invalid IP. You could do it with unbound direct domain, so its always bad IP. You could setup pfblocker to block the domain.

          Most any domain these days is hosted on some CDN, where yup they could have lots of different IPs, they could change, etc..

          Your client could be using different dns than pfsense, and could resolve different IPs, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

          NogBadTheBadN 1 Reply Last reply Reply Quote 1
          • NogBadTheBadN
            NogBadTheBad @johnpoz
            last edited by

            Pop the following in DNS Resolver custom settings

            server:
local-zone: "z.net." inform_redirect
local-data: "z.net. A 127.0.0.1"
local-data: "z.net. AAAA ::1"

            andy@mac-pro ~ % host z.net
z.net has address 127.0.0.1
z.net has IPv6 address ::1
andy@mac-pro ~ % host fred.z.net
fred.z.net has address 127.0.0.1
fred.z.net has IPv6 address ::1
andy@mac-pro ~ %

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            johnpozJ 1 Reply Last reply Reply Quote 2
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @NogBadTheBad
              last edited by johnpoz

              @NogBadTheBad yup that is prob the easiest way to make sure clients can't get to anything.domain.tld that you want to block.

              or you could do a nx setting

              local-zone: "use-application-dns.net"  always_nxdomain

              $ dig use-application-dns.net

; <<>> DiG 9.16.44 <<>> use-application-dns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18623
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

;; Query time: 6 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Tue Oct 31 10:01:37 Central Daylight Time 2023
;; MSG SIZE  rcvd: 52

$ dig something.use-application-dns.net

; <<>> DiG 9.16.44 <<>> something.use-application-dns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9856
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;something.use-application-dns.net. IN  A

;; Query time: 8 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Tue Oct 31 10:01:43 Central Daylight Time 2023
;; MSG SIZE  rcvd: 62

              edit: to keep in mind, if the client is not using pfsense for dns, dns blocks are not going to do anything.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.03 | Lab VMs 2.7.2, 24.03

              S 1 Reply Last reply Reply Quote 2
              • S
                scorpoin @johnpoz
                last edited by scorpoin

                @johnpoz
                Instead giving it a bad , I already have a pfblockerng with customized white and blacklisted domains I added it yesterday intio blacklisted right after the post :). Pfblockerng did a great job and the only disadvantage of pfblockerng it does not work for specific domain I mean I wont be able to allow any specific domain for a specific ip/host , but I wonder if we could do it some how using firewall rules to block this CDN domain.

                Regards
                Scorpoin

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @scorpoin
                  last edited by

                  @scorpoin said in Block Domain keep changes IP:

                  it some how using firewall rules to block this CDN domain.

                  Firewall rules doesn't know anything about 'source' or 'destination' using text = host names.
                  They have to get 'translated' to an IP address.
                  You could use an alias, go wild with :

                  7139892f-c21e-4228-bdc1-b5b6f31203e0-image.png
                  ( under System > Advanced > Firewall & NAT, bring it down to a lower value )

                  or say to yourself : if xyz.tld is forbidden on my LAN, and everything is always DNS based, do what is proposed above : host override it on the resolver page.
                  Or add the DNS sledge hammer pfBlocker solution, and create a home-made feed with the domain name.

                  If the users that try to use xyz.tld have some neurons, they will stop using your local (pfSense) DNS, and switch to DoH or something like.
                  Firewall rules with constantly resolved alias is then the only way.
                  Just keep in mind that pfSense is state-full, so, ones a LAN user is connected to the (new) IP of xyz.tld (and the firewall rule wasn't yet updated with the new IP, a states already exists for this users traffic.

                  In the end users will just stop using your network, and use another network (sim card, neighbors, whatever).

                  Btw : really : a web site that changes it's IP every xx seconds ?

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ
                    JonathanLee
                    last edited by

                    Try using Squid proxy with Squidguard :)

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post