Blocking sites with DNS
-
Is there an easy way to block multiple sites with DNS?
Presumably if I set up DHCP to use the DNS Forwarder, and then add domains I want to block with an IP address of 127.0.0.1 (or maybe the routers IP address) that should block them for DHCP users. Of course anyone using manual DNS settings will still see them, but it's only for ad-blocking.
The issue I have is that I want to add a lot of domains (using a hosts.txt file from http://www.mvps.org/winhelp2002/hosts.htm) and don't want to have to enter them one at a time. Is there a way to bulk add them?
-
Why don't you install squid and put the list in the Access Control Blacklist?
That's one of the ways it should be done. Fiddling with the DNS resolution really isn't. -
Could go that way I guess. I just wanted to see if I could do it without the overhead of a proxy.
-
well you "could" resolve all the names to IP's and then create an alias which contains all these IP's and make a block rule with as destination these IP's.
But this seems to be a bit of work.
Also if the IP the a name changes…. -
You even can use hostnames in the hostaliases. The only "glitch" when doing this is that the hostnames are only resolved once on filterreloads and I think it won't work for hosts that resolve to multiple IPs. You will see a better solution for this in the next version so for now use it at your own risk.
-
Guess I'll wait for the next version then.
-
What do you think is gonna change in the next version in regard to DNS resolution or blacklist handling?
-
You will be able to use hostnames in hostsaliases which will be frequently checked for changes. If a change is detected the filter will be reloaded to update the IPs in the alias. I think Scott already has some code for this in RELENG_1 iirc.
-
Cool! That's gonna make some fancy stuff.
But Releng to release is still a looong way to go, I'm afraid. -
There is one more thing to keep in mind when using this kind of blocking. If x.com is hosted on the same IP like y.com and you want to block x.com it will block y.com as well as it blocks the IP that got resolved.
-
Really the point of doing it at the DNS level is that it doesn't matter if a sites IP changes, or if it is shared with another site. The DNS Forwarder just sees "doubleclick.net" and returns 127.0.0.1.
-
You can already do it this way, however then you have to make sure your clients can't manually use exrternal DNS-Servers but firewallrules will help you with that as well.
-
Well I don't really care if they use external DNS servers because it's only ad-blocking, a nice extra if they go for DHCP. It's just a shame there is no way to bulk-add domains, but at least I get can the most common ones.
-
firefox and "adblock plus" ;)
-
DNS blocking is one of the options that OpenDNS provides.
Steps
1. Point your DNS to OpenDNS's DNS servers.
2. Sign up for a free account.
3. Define your IP or use DNS-O-Matic to keep dynamic IPs in synch.
4. Choose what you want to have blocked.For more details go to:
http://forum.pfsense.org/index.php/topic,2703.msg44709.html#msg44709 -
OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…
-
OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…
They gotta pay the bills somehow.. I imagine they use some bandwidth..
-
i just upgraded from 1.01 to 1.2 (new install with liveCD on a p3 with 3 nic's) and domainoverwrite doesn't seem to work : i entered ciao.de and "mapped" it to 0.0.0.0 -> flushed the (win)client dnscache with ipconfig /flushdns, then nslookup ciao.de, pfsense returns the real ip instead of 0.0.0.0/n/A. any ideas to solve this ? 1.01 worked!
-
I'm not sure if 0.0.0.0 is a completely valid address. Try something like 127.0.0.1 and see if that makes any difference.
-
Not sure if you literally showed us what you tested but in case you tried to resolve "www.ciao.de" and only entered a mapping for "ciao.de" the behaviour is correct. Don't forget to add a "www.ciao.de" mapping as well to make sure both names are sent to 127.0.0.1.
