DNS Blacklist, New Package! Check it out.
-
Hi Davc,
I've tried DNS blacklist in one of my pfSense box but it broke the dns forwarder service, after installation the dnsmasq service stopped and can't be restarted even after repeated tries and reboot. I uninstalled the aforementioned package but I still can't start the dnsmasq service,I had to examine other working boxes to see what files have been added or changed by the DNS blacklist package, it added the dnsmasq.conf which I've deleted and my dnsmasq service finally started.
Did I missed something?
Regards,
Jan
-
When you tried to start dnsmasq. If you would have looked at the Diagnostics: System logs: System and looked for errors inr regards to dnsmasq then you should be ablt to find a description why it refused to start.
-
Good job :)
I have Q.. How to block HTTPS? (except legit HTTPS)?
jigp
-
Mine is running fine.
1.2.3-RC2
built on Sat Jul 18 19:19:52 EDT 2009
FreeBSD 7.2-RELEASE-p2 i386DNS Blacklist 0.2.4
Yes, after the installation of DNS Blacklist. I have to manual restart the services.
My Box run in Bridge mode, I guess yours are different in NAT mode.
Davc
-
After installing DNS Blacklist you shouldn't be required to restart dnsmasq as nothing is edited that pertains to dnsmasq at the time. DNS Blacklist adds the dnsmasq.conf, and dnsmasq.blacklist.conf files into /usr/local/etc/. When DNS Blacklist is enabled it adds a string into dnsmasq.conf to load the dnsmasq.blacklist.conf file, then restarts dnsmasq. Any of the categories you select are entered within the dnsmasq.blacklist.conf file and that is what allows us to filter dns querys to the local server.
I am in no way out to seek any money from anyone for the blacklist database I'm putting together. I can maintain a "main blacklist" but users would be free to add their own domains that aren't already listed. Here soon I'll work on adding a custom Blacklist/Whitelist text area for you to enter your own on the fly.
If you want to block all https, you need to put a block on dport:443, that isn't associated with DNS Blacklist.
-
| If you want to block all https, you need to put a block on dport:443, that isn't associated with DNS Blacklist.
- I dont want to block 443 from Firewall LAn.. Some users needs to access legitimate https sites…. Kindly show us the right way xa0z? Thanks
jigp |
-
I can't really thank you enough for putting in the effort for this package. This is exactly what my place of employment has been looking for to push us off of using WatchGuard Fireboxes and moving to a custom-built firewall running pfSense.
Thanks, and if you need any help, let me know!
-
Is that package the same as using squid with 0 cache + squidGuard using the urlblacklist.com filter?
-
Not really, but the same concept mainly. We're not using proxies, and are just making hostnames that you don't want allowed on your network to resolve to a specific IP rather than loading a proxy, etc.
So for instance, if you have facebook.com added to the category of denied hosts, then if anyone tried to resolve the forementioned host name then it would resolve to the IP I currently have set in the config, which is a Google IP. So all requests would be for example like so… http://www.facebook.com/games/mafiawars, would actually load http://www.google.com/games/mafiawars, which would fail, and alert you so.
I do have improvement ideas I'd like to implement in, but I won't be able to submit/commit them until mcrane is ready to do so and currently he has other projects he's working on.
-
As I understand the LAN DNS must be the pfsense DNS forwarder in order to make this package work?
10X for your effort
-
Yes, in order to use this you MUST do 1 of two things…
1: Make sure ALL clients on your LAN have the pfSense Gateway IP as their DNS IP.
2: Set any and all connections that pass through on port 53, to bind back to the router IP on port 53.
-
Are there any sense in doing this, if other DNS Services (OpenDNS) will override the settings on this??
-
In order for OpenDNS, and other DNS Services to work, you need to use their IP Address as your DNS Server IP.
The concept of OpenDNS and DNSBlacklist is about the same except the changes made to DNSBlacklist are local (on the system)
If you run DNS Blacklist, or other DNS Services like OpenDNS you can prevent people from loading other DNS Servers by forcing ALL outbound connections to port 53 to stop at the pfSense box. This way no matter where they try to resolve host names, it will always use the DNS Server on the pfSense box, be that the DNS Forwarder of OpenDNS, etc.
-
How do you specific prevent people from doing that???
How to in Pfsense???
-
Highlighted in RED.
-
I cant see anything….
-
heh, reload the page. it should show up now.
-
Does it have any effect when in that order???
-
The order for the Rules does not matter.
-
i like the idea of a block list built into pfsense, but i don't like the idea of a pfsense blocklist, if you could just create the interface so that you can make your own lists that would be great.
thanks.
- have not tried the package yet..