Blocking sites with DNS
-
Really the point of doing it at the DNS level is that it doesn't matter if a sites IP changes, or if it is shared with another site. The DNS Forwarder just sees "doubleclick.net" and returns 127.0.0.1.
-
You can already do it this way, however then you have to make sure your clients can't manually use exrternal DNS-Servers but firewallrules will help you with that as well.
-
Well I don't really care if they use external DNS servers because it's only ad-blocking, a nice extra if they go for DHCP. It's just a shame there is no way to bulk-add domains, but at least I get can the most common ones.
-
firefox and "adblock plus" ;)
-
DNS blocking is one of the options that OpenDNS provides.
Steps
1. Point your DNS to OpenDNS's DNS servers.
2. Sign up for a free account.
3. Define your IP or use DNS-O-Matic to keep dynamic IPs in synch.
4. Choose what you want to have blocked.For more details go to:
http://forum.pfsense.org/index.php/topic,2703.msg44709.html#msg44709 -
OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…
-
OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…
They gotta pay the bills somehow.. I imagine they use some bandwidth..
-
i just upgraded from 1.01 to 1.2 (new install with liveCD on a p3 with 3 nic's) and domainoverwrite doesn't seem to work : i entered ciao.de and "mapped" it to 0.0.0.0 -> flushed the (win)client dnscache with ipconfig /flushdns, then nslookup ciao.de, pfsense returns the real ip instead of 0.0.0.0/n/A. any ideas to solve this ? 1.01 worked!
-
I'm not sure if 0.0.0.0 is a completely valid address. Try something like 127.0.0.1 and see if that makes any difference.
-
Not sure if you literally showed us what you tested but in case you tried to resolve "www.ciao.de" and only entered a mapping for "ciao.de" the behaviour is correct. Don't forget to add a "www.ciao.de" mapping as well to make sure both names are sent to 127.0.0.1.
-
i tried to add "ciao.de", "www.ciao.de", changed the ip to 127.0.0.1, even to my local ip, nothing helped. changing the machine, to see if its not the winbox, i used the debianmachine, no success.
edit: i just added "ciao.de", then tested "nslookup ciao.de" -> response was the real ip, instead of 127.0.0.1
-
I wrote about this in a different post and can confirm the bug, doing exactly the same thing.
In previous versions, there were two methods of forwarding: by host, and by entire domain.
To block www.yahoo.com for instance:
first method: enter 'www' in the host field, 'yahoo.com' in the domain field, and '0.0.0.0' for the IP (blocked only www.yahoo.com)
second method: enter 'yahoo.com' in domain, '0.0.0.0' for ip. (This blocked anything on that domain)With pfsense 1.2, the second method fails. Only 'host' type forwarding works, returning '0.0.0.0' as the IP. Using the 'entire domain' method fails, returning the actual public IP.
Don't bother with 'why don't you use X method'… I'm just reporting a bug.
-
Did you try adding "yahoo" as host and "com" as domain?
-
Address 0.0.0.0 might or might not be interpreted as an alias for localhost (see RFC 1122 section 3.2.1.3) depending on application, I wouldn't trust it to work as a non-valid address here. Use a made up private address or point the queries to a name server that you know to deny recursive queries.
-
0.0.0.0 had been working, and appears that part at least still does…
by using a previous suggestion of 'yahoo' as host and 'com' as domain, we can block 'yahoo.com' (using 0.0.0.0) but 'www.yahoo.com' still gets through.
-
I would suggest using 127.0.0.1 instead of 0.0.0.0
-
With 127.0.0.1 as the nameserver for yahoo.com you'll get this in system log and no blockage:
Apr 10 20:40:48 dnsmasq[94422]: ignoring nameserver 127.0.0.1 - local interface
Apr 10 20:40:48 dnsmasq[94422]: ignoring nameserver 127.0.0.1 - local interfaceWith 0.0.0.0 there's not even a mention of it in the system logs, most like the entry is silently ignored.
-
Just set it to an IP in your local subnet you know has nothing running worth connecting to.
I've set the IP to the webconfig of my managed switch. -
You could also set it to a non existing private IP outside your subnet (10.123.234.1 or whatever) and create a firewallrule at interfaces lan to not send it out to the internet (though your isp gateway will drop it's routing anyway as it won't route private IPs).
-
I had another post that seems to have disappeared… odd...
Anyway, found that if we use a non-existent address (as others have mentioned) such as 192.168.1.0 (I'm using 192.168.1.x network) then domain-level blocking works.
So, 0.0.0.0 works for host-level blocking only, even though it used to work for both.
