Blocking URL's in Pfsense firewall for specifi range of IP
-
You could switch that around so that most systems use 1.1.1.1 directly but kids systems use Unbound in pfSense and are forwarded to 1.1.1.3. Then you can add filtering to unbound for some domains.
Or you could pass kids systems to an external DNS service that allows adding domains to block.
-
Not really crazy about that idea, i have DNS over TLS configured and other local hosts id like to be able to address by hostname easily.
Perhaps there is a plugin solution ??
-
I also found the custom view option you were referencing, which I really like. This would be almost perfect if all clients where using the pfsense box for DNS. I don't suppose there is a way to create a view so that certain clients have their requests forwarded to 1.1.1.1 and others to 1.1.1.3 ? Outside of my current method which is via DHCP. If this does not exist, could this be a potential future product enhancement.
-
I haven't tried that but I believe could. You should be able to set any number of parameters for he client view.
An alternative here might be to also run the DNS forwarder. You have to run it on a different port to avoid a conflict but you can forward requests to that port.
-
Is there any documentation of what parameters exist for DNS Resolver and / or would you be able to hook me up with the syntax for the above scenario.
Thank you so much.
-
I'm not sure what it would be for that off-hand. But you should be able to enter config for anything that the resolver (Unbound) can do so:
https://man.freebsd.org/cgi/man.cgi?query=unbound.confA lot!
-
How does this look, I would like to backup / edit the unbound config via SSH, where does one find that config file.
view:
name: "client_110"
view-first: yes
client-subnet: 1.0.0.110/32forward-zone:
name: "."
forward-addr: 1.1.1.3 -
The unbound conf file is generated automatically from the pfSense config when the service is started and anytime a change is made. Editing the config directly is only useful as a test. But it's in /var/unbound/unbound.conf.
-
-
Well like I said I've tried to do that so.... I'm not sure.
Does it work? I'd expect to see a load of errors when it creates the test config of there's a problem.
