Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block internet access for client operating system's DNS over HTTPS

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 3 Posters 68 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      richardsago
      last edited by

      Good day. How do I block internet access of users who enabled their operating system's DNS over HTTPS? Below is screenshot from firefox and chrome showing it bypassed pfBlockerNG if Windows Settings' DNS over HTTPS is enabled:
      985f9054-763c-4512-a03d-fd6f8efe0785-image.png

      But if Windows Settings' DNS over HTTPS is not enabled the pfBlockerNG blocking is successful:
      1f9b8f2c-8a9d-468f-8a8c-b01856b017b0-image.png

      And also if Windows Settings' DNS over HTTPS is not enabled the pfBlockerNG blocking is still successful even when the browsers' secure DNS is enabled:
      6a7079ad-5db9-4db5-8237-4be5ed6d968b-image.png

      Only pfBlockerNG is in the floating rules:
      eca66843-a6e5-4b0f-ab2b-c2f9c1243b23-image.png

      Only the block bogon networks is in the WANs firewall rules:
      d711ee66-789d-4145-865d-8090d583ad67-image.png

      This is the firewall rules for one of the VLANs:
      93379513-04af-4dae-982c-fa190317fb13-image.png

      It is set to fail over from WAN1 to WAN2 (starlink):
      54f371b8-babf-4470-ac0f-390211c11969-image.png

      For the DNS Resolver: only the VLANs, LAN, and Localhost are selected in Network Interfaces. And only the WANs are selected in the Outgoing Network Interfaces:
      e5d1b2d3-79e6-41bf-9456-252eba7dd41e-image.png
      b8088c1d-c4bf-4ace-a718-740db4f6c37a-image.png

      This is the first part of DNS Resolver's Advanced Settings. Please let me know if I need to send the remaining entries:
      c1573460-e28a-4795-866c-defd7c9113ea-image.png

      pfBlockerNG > DNSBL > DNSBL SafeSearch > DoH/DoT/DoQ Blocking is enabled and every entry on the list are selected:
      b2399d5d-a7e7-4ffd-bdc2-bf047702b30c-image.png

      I learned that Windows Settings' DNS over HTTPS can bypass pfBlockerNG while testing the suggestions on my previous post (for a different problem) below, but I could not make the port forward work. If port forwarding is the solution please help what entries to add for multi VLAN and multi WAN setup. Please also help if the solution is other than port forwarding. I'm ok with just blocking if it will take fewer steps to do as compared to configuring pfsense so that users will always use its pfsense DNS whatever settings they may have. Thank you in advance for your suggestions
      https://forum.netgate.com/topic/198862/should-failover-for-wan1-and-should-not-failover-for-wan2

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @richardsago
        last edited by

        @richardsago not sure what your wanting to block - specific things, or the internet completely?

        Dns is blocking is normally used to block ads and bad sites.. I wouldn't use to block say apple.com, etc.

        If you don't want the machine to have internet - just don't allow any internet.

        But blocking doh servers - what doh server are they going to - just blocking going to those IPs. No more doh for them.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        R 1 Reply Last reply Reply Quote 0
        • R Offline
          richardsago @johnpoz
          last edited by

          Thank you @johnpoz for the reply. I would like all users to get internet connection only if they will use pfsense DNS so that pfBlockerNG can block certain types of websites that the organization wants blocked. So that if they will configure their Windows Settings to use DNS over HTTPS they will not be able to connect to the internet (and bypass pfBlockerNG) like they can do now. Will this be possible, or all blocking is impossible if users will enable their Windows Settings' DNS over HTTPS?

          1 Reply Last reply Reply Quote 0
          • R Offline
            richardsago
            last edited by

            Additional info: pfBlockerNG > IP is not used and these are the two blockings under DNSBL:
            7ae43fd7-1e4a-42ba-a7f1-a5728ff039cf-image.png

            d3027558-2eee-46f5-9908-107f87ebcc15-image.png

            1 Reply Last reply Reply Quote 0
            • R Offline
              richardsago
              last edited by

              Additional information that may be useful:

              These are the DNS Server Settings:
              2eafe4a8-26d5-41e4-8b7d-c49f9e9ce91f-image.png

              These are the monitor IP:
              4ebbaf32-a8bb-4b48-888a-4d06fff447b1-image.png

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @richardsago
                last edited by Gertjan

                @richardsago

                Why these :

                1d65b13d-e2bd-402d-9839-8816e3e83f0b-image.png

                if you are not forwarding to them (you are resolving) :

                41480f8e-b633-4b0f-9cea-c7bda57138f8-image.png

                ?

                Also, for "DNS over HTTPS/TLS/QUIC Blocking" to work, you need to stop using the ancient 'unbound' method, and use the Python method : check this one :

                ae9ad4e4-7f9c-46e0-aeb6-fc5637793303-image.png

                and make sure this "DNSBL Mode" is set to 'Unbound Python mode' here as well :

                287f2a96-ac38-45ee-82b9-fcbb644b714d-image.png

                IRC, it's the Python pfBlockerNG extension that handles DoH/DoT/DoQ Blocking.

                Btw : when you switch from ISC DHCP to kea, you shouldn't use unbound mode anyway.

                About the " Windows Settings' DNS over HTTPS" :
                The DNS-hhtps server Windows is using - I'm not sure which one it is - must be part of the "pfBlockerNG" list :

                7d66271c-b690-4d51-aa2d-cb500930e828-image.png

                edit :

                Also : forget about this one :

                f51a89f9-7857-4fdb-98a7-5aa64c1b5b03-image.png

                as that page, generated by pfBlockerNG, to show the user that he wanted to visit a site that is blacklisted, only works for http site. Not for https sites, as you can't redirect https connection, as that will introduce a certificate fail.
                So, use :

                3fca1549-838c-4fa8-9b82-23837c8b5198-image.png

                instead of

                5c01cebd-5465-4a51-901d-220fc4d8576a-image.png

                as there are no "http" sites anymore.
                https sites that contain http adds pages / content will also be flagged as a massive ugly fail by the browser. The pfBlockerNG web server page won't get shown.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                R 1 Reply Last reply Reply Quote 0
                • R Offline
                  richardsago @Gertjan
                  last edited by

                  Thank you @Gertjan for the reply. 1 of 4 ok) I have successfully enabled Services > DNS Resolver > General Settings > "Enable Python Module" and we did not experience internet problem
                  2a99aa60-fb4a-4613-a91d-8053e7af8110-image.png

                  2 of 4 ok) I have successfully changed Firewall > pfBlockerNG > DNSBL > DNSBL > Logging/Blocking Mode to "Null Blocking (no logging)" and there's no internet problem. But there was no choice for "Null Block (logging)", not sure if this is because I did not set "DNSBL Mode" to "Unbound python mode" <-this is the next item 3 below
                  084ed393-57e9-4c5b-8ade-a68db3054c8a-image.png

                  3 of 4 problem) When I set Firewall > pfBlockerNG > DNSBL > DNSBL Mode to "Unbound python mode" we lose internet connection so I returned it to "Unbound mode". This was also what happened when I tried this last month. Are there other settings that I need to change from this:
                  065944e1-0792-4a7b-9437-3816844dee8d-image.png
                  5a5c750e-26f2-4dda-8b7b-a7cd21ab984e-image.png
                  cdfe7ad5-0c2d-41a5-b616-1682d71ad269-image.png
                  eaaf6ed7-4930-4ed7-97d7-5ea304f645eb-image.png
                  e934b393-7f3c-478a-a606-7bedd361088d-image.png

                  4 of 4 question) Do I understand correctly that because we have 2 WANS and the pfsense instruction is to ensure each WAN has a DNS entry in System > General Setup > DNS Server Settings, then I should enable Services > DNS Resolver > General Settings > "DNS Query Forwarding"?
                  f3b9c679-114a-4ca3-b1c8-d0987a553987-image.png

                  ad95ee82-5cf4-4b0f-98a3-a2234821e85a-image.png

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan @richardsago
                    last edited by

                    @richardsago said in How to block internet access for client operating system's DNS over HTTPS:

                    But there was no choice for "Null Block (logging)"

                    "Null Block (logging)" works only when Python mode is enabled.

                    @richardsago said in How to block internet access for client operating system's DNS over HTTPS:

                    When I set Firewall > pfBlockerNG > DNSBL > DNSBL Mode to "Unbound python mode" we lose internet connection so I returned it to "Unbound mode"

                    That's not a normal situation at all. You have a DNS issue then.
                    Consider flipping everything back to default first.

                    This is part of 'default' :

                    cbdc6616-9081-4278-9c79-4bdfe0c1bbb6-image.png

                    In a nearby future, 'unbound' mode might as well be removed.

                    You can see "python mode" as a plugin or addon to unbound.
                    It's a script file that unbound uses
                    Unbound uses 'python' as the interpreted script file language , and that's why we call it 'python mode'.
                    It could have been a shell script, LUA, or whatever.

                    This Unbound Python script has now been tested a couple of multiples of trillions times (every DNS request executed by every pfSense using pfBlockerng out there).
                    It's a save bet that to say that there are no more known issues with it.

                    About :

                    65695ff4-201b-4cc3-9e67-c698baf3c661-image.png

                    You might as well remove all these.
                    pfSense, the resolver, doesn't need any DNS servers (that you've assigned).
                    It doesn't use them.
                    Unbound is a resolver, which means it resolves using the official (root) DNS servers.
                    No need to use some commercial offer from anybody.

                    8.8.8.8 and 8.8.4.4 are also revolvers btw. But why would you hand over your private DNS requests to these commercial entities ^? ^

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.