DNS Blacklist, New Package! Check it out.

xa0z

In order for OpenDNS, and other DNS Services to work, you need to use their IP Address as your DNS Server IP.

The concept of OpenDNS and DNSBlacklist is about the same except the changes made to DNSBlacklist are local (on the system)

If you run DNS Blacklist, or other DNS Services like OpenDNS you can prevent people from loading other DNS Servers by forcing ALL outbound connections to port 53 to stop at the pfSense box.  This way no matter where they try to resolve host names, it will always use the DNS Server on the pfSense box, be that the DNS Forwarder of OpenDNS, etc.

Supermule

How do you specific prevent people from doing that???

How to in Pfsense???

xa0z

Highlighted in RED.

Supermule

I cant see anything….

xa0z

heh, reload the page.  it should show up now.

Supermule

Does it have any effect when in that order???

xa0z

The order for the Rules does not matter.

sekular

i like the idea of a block list built into pfsense, but i don't like the idea of a pfsense blocklist, if you could just create the interface so that you can make your own lists that would be great.

thanks.

• have not tried the package yet..

xa0z

The next release will contain the ability to create your own black/white-list within the web configuration.

We will also have the ability to let users upload their own compiled blacklists into the script, or use the one prebuilt with the application.

sunil

Hi,
I am new to PfSense, I tried using DNS Blacklist and tried to block, Adult Porn and Online Gaming but I beleive it blocks all sites, if I try accessing any site it redirects to Google. For eg I tried indiatimes.com; yahoo.co; rediff.com and our Company website but it all gets redirected to Google, not sure if I am going wrong somewhere or do I need to work on the scripts.

tehtrk

@xa0z:

Highlighted in RED.

@xa0z:

The order for the Rules does not matter.

Unless something has changed drastically, the order is critical as pfsense rules are evaluated from the top down. The first rule in your example would match, and pfsense will handle the packet accordingly. I'm not trying to pick on you, but that's a major nuance of pfsense and m0n0wall.

On a completely different note, when I use the DNS Blacklist with the Adult category selected, www.pandora.com is blocked, even though it is not in the domain list for the adult category as obtained from http://cri.univ-tlse1.fr/blacklists/index_en.php . Any idea as to why this is happening?

Thanks for the great package!

sekular

a very small bug i noticed when on the dnsblacklist.php it has no title and when clicking on the pfsense logo it redirects to a 404.

it redirects to https://domain/packages/dnsblacklist/index.php

instead of https://domain/index.php

works great though, thanks

Rezin

@xa0z:

So for instance, if you have  facebook.com  added to the category of denied hosts, then if anyone tried to resolve the forementioned host name then it would resolve to the IP I currently have set in the config, which is a Google IP.

Hi xa0z. Is there any way to simply return nothing instead of resolving to Google's IP?

ronaldsh

A very good start, userfriendly. Here are some comments.

1. agree with Rezin, or redirect to a configurable error page.
2. So is there any LOG showing which URL match which RULES ?
3. Once I checked the "Adult", then I cannot visit hk.yahoo.com. I have digged into /usr/local/www/packages/dnsblacklist/blacklists/adult and there are quite a lot of stuffs related to yahoo.

omichaux

Hi,

i've installed pfsense yesterday and try DNS Blacklist, but it seems it doesn't block any site.
i've tried from lan and opt1 interface
each time, the only dns for the client is pfsense
dnsblacklist is activated, and i've checked many categories as adult, games, gamble, etc…
but no success
any idea ?
thanks in advance for your help

ronaldsh

Omichaux,

1. Did you have all the LAN client's DNS server changed to the pfSense LAN's IP (the one you used to manage pfSense)
2. Did you enable the DNS Forwarder in pfSense which forward all the DNS request to your original DNS server ?
3. Did you enable Squid, if so did you changed the DNS server to the pfSense LAN's IP ? Also, it seem every changes made in DNS Blacklist require restart of Squid to made it take effect.

Those are my experience and not sure it fit you case.

omichaux

Thanks for your answer…

but i've already done all of your suggests.
my DNS clients are IP LAN of pfSense
i've reinstall pfsense in version 1.2.3
and reinstall package dns blakclist
squid is not install, but i'm not sure i need it.

but no success

ToxIcon

when is the new updated DNS Blacklist going to be available thanks.

xa0z

Hey guys…

I've not been working on this project as much lately as some other things have come up.  I plan to get the next release done before November 8th.  Hopefully...

As for people wanting to use a CUSTOM ERROR PAGE,  Using dnsmasq, you can only make the hostname they try to resolve into an IP, and then the browser tries to load that IP.  For example if you block something like yahoo.com, that means it will make yahoo.com's dns lookup resolve to 74.125.45.100 for example…  And then the browser will try to load http://74.125.45.100/ and if that IP doesn't have anything to show the page is blacklisted, then it will only show an error that the request wasn't found.  We don't use proxies like Squid.  Using this method is faster, but it is kind of limited in that aspect.

All of your comments, and opinions are taken seriously and any requests for fixes, and add-ons are welcome.

shadowteller

First off thank you for this excellent package submission.

@xa0z:

As for people wanting to use a CUSTOM ERROR PAGE,  Using dnsmasq, you can only make the hostname they try to resolve into an IP, and then the browser tries to load that IP.  For example if you block something like yahoo.com, that means it will make yahoo.com's dns lookup resolve to 74.125.45.100 for example…  And then the browser will try to load http://74.125.45.100/ and if that IP doesn't have anything to show the page is blacklisted, then it will only show an error that the request wasn't found.  We don't use proxies like Squid.   Using this method is faster, but it is kind of limited in that aspect.

However the device could be forced to redirect to another destination.  Could even be locally as pfSense's WebGUI is running on a local webserver.
I believe it is Lighttpd.

fwrite($fh2, "address=/" .$line. "/74.125.45.100". "\n");

That block of code tells the system as you said that has been blocked where to resolve to.  This can be seen in dnsmasq.blacklist.conf file.  Each blacklist domain is subsequently followed by the /74.125.45.100 url.

Next I have noticed an issue with dnsmasq.

Not sure if I am doing this wrong either so correct me if I am wrong.  I followed this forum thread to fix DNSMasq not restarting without a reboot.
(http://forum.pfsense.org/index.php/topic,11159.0.html)

If I have a custom config at /usr/local/etc/dnsmasq.conf it gets overridden by dnsblacklist.  The actual config that is written itself is broken:
conf-file=/usr/local/etc/dnsmasq.blacklist.confetc/resolv.conf

is the result.

Anyways look forward to the update keep up the good work.

With Regards,
Preston