Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Blacklist, New Package! Check it out.

    Scheduled Pinned Locked Moved pfSense Packages
    153 Posts 56 Posters 128.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mastablastaz
      last edited by

      Is that package the same as using squid with 0 cache + squidGuard using the urlblacklist.com filter?

      1 Reply Last reply Reply Quote 0
      • X
        xa0z
        last edited by

        Not really, but the same concept mainly.  We're not using proxies, and are just making hostnames that you don't want allowed on your network to resolve to a specific IP rather than loading a proxy, etc.

        So for instance, if you have  facebook.com  added to the category of denied hosts, then if anyone tried to resolve the forementioned host name then it would resolve to the IP I currently have set in the config, which is a Google IP.  So all requests would be for example like so…    http://www.facebook.com/games/mafiawars, would actually load http://www.google.com/games/mafiawars, which would fail, and alert you so.

        I do have improvement ideas I'd like to implement in, but I won't be able to submit/commit them until mcrane is ready to do so and currently he has other projects he's working on.

        1 Reply Last reply Reply Quote 0
        • T
          Tracktor
          last edited by

          As I understand the LAN DNS must be the pfsense DNS forwarder in order to make this package work?

          10X for your effort

          1 Reply Last reply Reply Quote 0
          • X
            xa0z
            last edited by

            Yes, in order to use this you MUST do 1 of two things…

            1:  Make sure ALL clients on your LAN have the pfSense Gateway IP as their DNS IP.

            2:  Set any and all connections that pass through on port 53, to bind back to the router IP on port 53.

            1 Reply Last reply Reply Quote 0
            • S
              Supermule Banned
              last edited by

              Are there any sense in doing this, if other DNS Services (OpenDNS) will override the settings on this??

              1 Reply Last reply Reply Quote 0
              • X
                xa0z
                last edited by

                In order for OpenDNS, and other DNS Services to work, you need to use their IP Address as your DNS Server IP.

                The concept of OpenDNS and DNSBlacklist is about the same except the changes made to DNSBlacklist are local (on the system)

                If you run DNS Blacklist, or other DNS Services like OpenDNS you can prevent people from loading other DNS Servers by forcing ALL outbound connections to port 53 to stop at the pfSense box.  This way no matter where they try to resolve host names, it will always use the DNS Server on the pfSense box, be that the DNS Forwarder of OpenDNS, etc.

                1 Reply Last reply Reply Quote 0
                • S
                  Supermule Banned
                  last edited by

                  How do you specific prevent people from doing that???

                  How to in Pfsense???

                  1 Reply Last reply Reply Quote 0
                  • X
                    xa0z
                    last edited by

                    Highlighted in RED.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by

                      I cant see anything….

                      1 Reply Last reply Reply Quote 0
                      • X
                        xa0z
                        last edited by

                        heh, reload the page.  it should show up now.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Supermule Banned
                          last edited by

                          Does it have any effect when in that order???

                          1 Reply Last reply Reply Quote 0
                          • X
                            xa0z
                            last edited by

                            The order for the Rules does not matter.

                            1 Reply Last reply Reply Quote 0
                            • S
                              sekular
                              last edited by

                              i like the idea of a block list built into pfsense, but i don't like the idea of a pfsense blocklist, if you could just create the interface so that you can make your own lists that would be great.

                              thanks.

                              • have not tried the package yet..
                              1 Reply Last reply Reply Quote 0
                              • X
                                xa0z
                                last edited by

                                The next release will contain the ability to create your own black/white-list within the web configuration.

                                We will also have the ability to let users upload their own compiled blacklists into the script, or use the one prebuilt with the application.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sunil
                                  last edited by

                                  Hi,
                                  I am new to PfSense, I tried using DNS Blacklist and tried to block, Adult Porn and Online Gaming but I beleive it blocks all sites, if I try accessing any site it redirects to Google. For eg I tried indiatimes.com; yahoo.co; rediff.com and our Company website but it all gets redirected to Google, not sure if I am going wrong somewhere or do I need to work on the scripts.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tehtrk
                                    last edited by

                                    @xa0z:

                                    Highlighted in RED.

                                    @xa0z:

                                    The order for the Rules does not matter.

                                    Unless something has changed drastically, the order is critical as pfsense rules are evaluated from the top down. The first rule in your example would match, and pfsense will handle the packet accordingly. I'm not trying to pick on you, but that's a major nuance of pfsense and m0n0wall.

                                    On a completely different note, when I use the DNS Blacklist with the Adult category selected, www.pandora.com is blocked, even though it is not in the domain list for the adult category as obtained from http://cri.univ-tlse1.fr/blacklists/index_en.php . Any idea as to why this is happening?

                                    Thanks for the great package!

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sekular
                                      last edited by

                                      a very small bug i noticed when on the dnsblacklist.php it has no title and when clicking on the pfsense logo it redirects to a 404.

                                      it redirects to https://domain/packages/dnsblacklist/index.php

                                      instead of https://domain/index.php

                                      works great though, thanks

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        Rezin
                                        last edited by

                                        @xa0z:

                                        So for instance, if you have  facebook.com  added to the category of denied hosts, then if anyone tried to resolve the forementioned host name then it would resolve to the IP I currently have set in the config, which is a Google IP.

                                        Hi xa0z. Is there any way to simply return nothing instead of resolving to Google's IP?

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          ronaldsh
                                          last edited by

                                          A very good start, userfriendly. Here are some comments.

                                          1. agree with Rezin, or redirect to a configurable error page.
                                          2. So is there any LOG showing which URL match which RULES ?
                                          3. Once I checked the "Adult", then I cannot visit hk.yahoo.com. I have digged into /usr/local/www/packages/dnsblacklist/blacklists/adult and there are quite a lot of stuffs related to yahoo.
                                          1 Reply Last reply Reply Quote 0
                                          • O
                                            omichaux
                                            last edited by

                                            Hi,

                                            i've installed pfsense yesterday and try DNS Blacklist, but it seems it doesn't block any site.
                                            i've tried from lan and opt1 interface
                                            each time, the only dns for the client is pfsense
                                            dnsblacklist is activated, and i've checked many categories as adult, games, gamble, etc…
                                            but no success
                                            any idea ?
                                            thanks in advance for your help

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.