Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Whitelist DNS for specific interface

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 273 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GeorgeCZ58
      last edited by

      Hello, I need to block DNS resolution for specific interface and resolve only specific domains. Filtration on firewall itself is not enough for our cybersecurity team. Any tips how to proceed? I am using DNS resolver and PfblockerNG - is it possible to make that with them? They offer to use Squid for that. Is that really needed? Thanks.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @GeorgeCZ58
        last edited by Gertjan

        @GeorgeCZ58 said in Whitelist DNS for specific interface:

        Filtration on firewall itself is not enough for our cybersecurity team

        Because you can filter on a higher level, like the ISP ? Are you sure that is possible ?
        Because you can filter on a lower level, like the device itself ? Are you sure that is possible (and is that secure ?) ?
        What do you mean by 'not enough' ?

        edit
        pfBlocker by itself, when you install it, does (blocks) nothing. You have to add IP/network lists, or DNSBL list so it will block these when used.

        AFAIK, I'm not sure if it can work the other way around :
        Pass a domain name (or sub domain) is white-listed.
        And then : Block the rest.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        G 1 Reply Last reply Reply Quote 0
        • G
          GeorgeCZ58 @Gertjan
          last edited by

          @Gertjan said in Whitelist DNS for specific interface:

          @GeorgeCZ58 said in Whitelist DNS for specific interface:

          Filtration on firewall itself is not enough for our cybersecurity team

          Because you can filter on a higher level, like the ISP ? Are you sure that is possible ?
          Because you can filter on a lower level, like the device itself ? Are you sure that is possible (and is that secure ?) ?
          What do you mean by 'not enough' ?

          edit
          pfBlocker by itself, when you install it, does (blocks) nothing. You have to add IP/network lists, or DNSBL list so it will block these when used.

          AFAIK, I'm not sure if it can work the other way around :
          Pass a domain name (or sub domain) is white-listed.
          And then : Block the rest.

          But I need that only for specific Interface(VLAN) for rest I need to use PfblockerNG with only selected lists(to allow internet connection).

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @GeorgeCZ58
            last edited by Gertjan

            @GeorgeCZ58

            A rapid Google search gave me this :

            https://community.ipfire.org/t/any-way-to-block-all-dns-queries-and-whitelist-some/10544

            Btw : and because 'respip' was unknown to me, I found this. So it exists,
            Not sure if pfSense has this software component. It is a module created by NLnetLabs (unbound author).

            So, easy plan A : PI-Hole ?

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.