DNS Blacklist, New Package! Check it out.

cronist · May 12, 2010, 7:11 PM

the "adult" section of dns blacklist prevents to login facebook coz of it works on IP based.
so all the domains hosted on the same server is blocked.
when i tried to login facebook by fill the username and password, i am getting google home page with *.google.com certificate.
how can i solve this issue?

ginosteel · May 16, 2010, 11:46 PM

after installed the package i got:

May 17 01:53:11 dnsmasq[2526]: cannot read /usr/local/etc/dnsmasq.blacklist.conf: No such file or directory
May 17 01:53:11 dnsmasq[2526]: cannot read /usr/local/etc/dnsmasq.blacklist.conf: No such file or directory
May 17 01:53:11 dnsmasq[2526]: FAILED to start up
May 17 01:53:11 dnsmasq[2526]: FAILED to start up
May 17 01:53:12 php: /index.php: [DEBUG] Lock recursion detected.

and all was messed up and even my own dns could`t resolve

Nadrek · May 18, 2010, 12:17 AM

Just as a note, the ability to enter a list of DNS names, or use a category based subscription, to prohibit is one of the major features of Sonicwall (and other) firewall products, and if this package does what I think it does, then it allows pfSense to be that much more of a serious competitor.

I apologize for not reading the entire thread, but if I install this on 1.2.3-RELEASE WebGUI, will I be able to uninstall it via WebGUI if for whatever reason I need to?

jideel · May 26, 2010, 10:27 AM

@kiko-lpa:

Hi,

First of all thanks for the package.

I am moving my PFsense 1.2.3 to newer hardware and would like to use DNS Blacklist with new install. I have tried and like how it works and the idea.

I am having a problem that I have no been able to solve, probably missing something or don't know full usage of the package. At my company we are using Google Apps for email and other services, the email accounts are setup for POP and SMTP use and have email clients configured.

If DNS Blaclist is enable with only adult filter the smtp and pop.gmail.com becomes inaccessible, if I disable the adult filter or DNS Blacklist, everything works well again. For your knowledge google emails uses SSL ports for email configuration, ports 465 and 995.

I have looked in the /adults/domain, /url and /expressions files and have no found anything for gmail.

For the moment I have to stop the use until whitelist will be available or find a solution for my problem.

¿Any suggestions or Idea?

Many Thanks :-\

Hi,
Exactly the same issue, also same as tebruno99's post.
If i enable the 'adult' list, it starts blocking a lot of websites not in the blacklists.
For example, it blocks 'www.shallalist.de'.
I grep'd the whole lists (ssh'd to the box) to search for either 'shallalist', the ip of the website (78.47.242.85), the names of the DNS servers (shalla.de,robot7.first-ns.de, robot2.second-ns.de) and the IPs of these DNS servers, and found nothing related.
If i grep 'shalla' only, it finds :
blacklists/adult/domains:shallanmeiers.com.ar
blacklists/porn/domains:shallanmeiers.com.ar
which has no direct relation with shallalist.de
So i ended up with not enabling the 'adult' list, wich i really woud like to enable.
I'm using pfSense 1.2.3 release with squid/squidGuard. DHCP server is enabled and serve the IP of the box (gateway) as the DNS server. DNS forwarder is enabled. The DNS setting of Squid is forced to the private LAN IP of the box ('Use alternate DNS-servers for the proxy-server'), because, if not set, Squid seems to bypass the dns forwarder and directly resolve the names through the provider's DNS.
In SquidGuard, the option 'Not to allow IP addresses in URL' is enabled.
Any idea ?
Thank you.

jideel · May 26, 2010, 12:22 PM

There's also an error at boot :
DNS Blacklist : Fatal error : cannot redeclare pkg_is_service_running() previously declared in /usr/local/pkg/cron.inc:37 in /usr/local/pkg/dnsblacklist.inc on line 35.
I removed the cron package, and now it says the same message for another package (ip-blocklist).
Can it interfere with other packages, and how to fix this message ?

tommyboy180 · May 26, 2010, 3:24 PM

The ip-blocklist package messes with the dns blacklist package. Sorry Mcrane!

I am working on a fix right now.

tommyboy180 · May 29, 2010, 8:46 PM

Fixed!

shadowteller · Jun 3, 2010, 10:38 PM

So question….

I am using a brand new clean install on pfSense 1.2.3. I install this as the only package.

The Problem I am seeing is that every site gets redirected to the google.com page. Has anyone ran into this issue and if so what is the fix?

Regards

tommyboy180 · Aug 29, 2010, 8:32 AM

DNS blacklist domains are kind of out dated.
Here's how you can update your lists
1. Download latest from http://cri.univ-tlse1.fr/blacklists/index_en.php - download the blacklists.tar.gz
2. Untar the archive
3. Copy contents directly to /usr/local/www/packages/dnsblacklist/blacklists
4. overwrite when prompted.
5. In your browser re-save the DNS Blocklist settings to commit the new updates.

Xthink · Aug 30, 2010, 1:44 PM

Is this package available for the snapshot builds?

vsberto · Sep 15, 2010, 8:58 AM

Strange i can open youtube.com as allways…
I installed package
Updated blacklist's
And activated DNS Blocklist in pfSense services and checked categories i need...
And it doesent block anything

tommyboy180 · Sep 15, 2010, 3:23 PM

@vsberto:

Strange i can open youtube.com as allways…
I installed package
Updated blacklist's
And activated DNS Blocklist in pfSense services and checked categories i need...
And it doesent block anything

Which category is supposed to block YouTube?

vburshteyn · Sep 16, 2010, 12:29 AM

Hi folks, i am new to pfsense so please excuse what might be a stupid question.

I installed and got this package working but i have two questions:

1. is there a way to change where the blocked page gets redirected to?
2. is there a way to have certain ip's bypass this app?

Thanks,

machado · Sep 27, 2010, 2:26 AM

This is a greate package from pfsense. I loving pFsense ;D ;D ;D ;D

mgc6288 · Oct 9, 2010, 4:45 AM

Hello, I was instructed that DNS Blacklist would be a good addition to pfsense. Right now I have added "OPT1" specifically for my son's computer which is directly plugged in. He has the outstanding Country Block on his interface blocking the outbound however I'd also like to block certain categories, i.e. Adult content. I can use OpenDNS' settings however eventually he'll figure out how to temporarily switch them and so having something within pfsense would be ideal. Back to DNS Blacklist, is this list actively updated or obsolete? Can I address this package to only effect certain interfaces or is every interface effected by the selections made? Thanks.

tommyboy180 · Oct 9, 2010, 4:51 AM

@mgc6288:

Hello, I was instructed that DNS Blacklist would be a good addition to pfsense. Right now I have added "OPT1" specifically for my son's computer which is directly plugged in. He has the outstanding Country Block on his interface blocking the outbound however I'd also like to block certain categories, i.e. Adult content. I can use OpenDNS' settings however eventually he'll figure out how to temporarily switch them and so having something within pfsense would be ideal. Back to DNS Blacklist, is this list actively updated or obsolete? Can I address this package to only effect certain interfaces or is every interface effected by the selections made? Thanks.

The lists are actively updated but not in the package. In the previous post I show you how to update your lists directly from the source.
Every interface using local DNS is affected by the package. You can bypass by specifying another DNS server on your systems just the same way you can bypass OpenDNS.

mgc6288 · Oct 9, 2010, 6:02 AM

@tommyboy180:

The lists are actively updated but not in the package. In the previous post I show you how to update your lists directly from the source.
Every interface using local DNS is affected by the package. You can bypass by specifying another DNS server on your systems just the same way you can bypass OpenDNS.

UPDATE: I figured it out! I guess for now, if I want to use OpenDNS' settings what I can do is go to Services –> DHCP Server --> OPT1 --> and fill in the OpenDNS settings in the DNS Servers block. With DNS Forwarder checked all he gets is his default gateway as the DNS server which masks it that much better.

XIII · Oct 9, 2010, 11:59 PM

What you need so that he cant bypass your DNS servers/settings is a rule that allows DNS access to your firewall and OpenDNS and than below that a rule that denies access to all DNS servers, this way one can get DNS from the firewall or pfsense but not anywhere else therefor you can block them from going to sites you dont want. If you dont do these rules, one can just change the dns servers that the computer uses.

mgc6288 · Oct 10, 2010, 12:06 AM

@XIII:

What you need so that he cant bypass your DNS servers/settings is a rule that allows DNS access to your firewall and OpenDNS and than below that a rule that denies access to all DNS servers, this way one can get DNS from the firewall or pfsense but not anywhere else therefor you can block them from going to sites you dont want. If you dont do these rules, one can just change the dns servers that the computer uses.

A very good idea as when he figures out how to configure static he'll be able to type in the ISP dns manually. I'd like for the OPT1 (son's) interface to only use the OpenDNS one.

Would that be in the Firewall –> Rules --> OPT1 interface? Example? Thanks...

XIII · Oct 10, 2010, 12:17 AM

Yes, attached is a pic of my DNS server rules, remember rules at the top override those at the bottom.
Edit: Also I have an alias for DNS Servers which is the firewall and OpenDNS' DNS servers.

If you need more help, start a new thread so as not to hijack this one.