Blocking explicit websites.
-
I used to use Squid and Squid guard to block explicit website for the company.
Lately I can't seem to get it to function and the https blocking wasn't working.
Can someone recommend what they use to block explicit websites? is this a 3rd party add on, DNS blocking or is it done at the PFSENSE layer?
-
@nambi Always a good source of discussion. Squid does it by actually looking at the traffic, so that will catch everything you want it to (if done correctly). But it’s complicated, and squid is being deprecated for pfsense as far as I can tell - so not a good path going forward.
Doing it at the pfSense layer is not really an option, which leaves you with pfBlockerNG (DNS Blocking).
That can be VERY effective, but it requires you to spend some time configuring it - and spending an equal amount of time to make sure you are blocking client “dns over https/tls” as well as NAT’ing rogue client DNS towards your pfSense DNS service (127.0.0.1) -
@nambi said in Blocking explicit websites.:
is this a 3rd party add on
The same option is valid for every user using a LAN device : install a VPN using (example) port 443 and they will bypass whatever you put in place.
This means you have to have full control over every device on your networks, which means probably a Windows domain controller network (if your network is Microsoft only).Something that is easy to implement : a captive portal with vouchers, or use passwords and change them often. Hand over the new passwords yourself, so you know who can access your networks and when. The ones you don't trust : don't give them access.
I know, still not perfect. -
@Gertjan said in Blocking explicit websites.:
The same option is valid for every user using a LAN device : install a VPN using (example) port 443 and they will bypass whatever you put in place.
If in a corporate environment, this is easily handled by having a whitelist model - which should be the norm. You cant install a vpn client if it hasnt been whitelisted.
If you are an organization with very weak controls of your own assets to the point that anyway can install a vpn client on them....not sure how pfsense can help. -
Would you consider using OPENDNS?
-
@nambi Sure, any DNS filtering option that you are comfortable with, and find easy to use would do.
But you still need to make sure you are doing your best to block “alternative DNS options” for clients which gets somewhat more difficult if you do not use pfBlockerNG.
Don’t let clients use OpenDNS servers directly. Set up DNS Resolver in pfSense and forward it OpenDNS. Then you can still create a NAT destination rule that catches all rogue DNS client requests and forwards it to the built in resolver (using OpenDNS).
Then all you have to do is figure out how to easily block most/wellknown DNS over HTTPS/TLS servers - that will get a little hard without pfBlockerNG (where it’s quite easy)