DNS Resolver
-
Seriously, I think all that's needed now it to tell people to prefix their advanced configuration with a proper clause (with a wiki/manpage link or whatever.) Prevents invalid bugs as well. (Persistent includes could be done right now via one of the file manager packages that store the files in config.xml, I guess.)
-
@johnpoz has made a note of it at https://doc.pfsense.org/index.php/Unbound_DNS_Resolver#Configuration - it can always be revisited for 2.2.1 or whatever in the future. To late now.
-
What is the advantage of putting this in the "Advanced" section instead of the "Host Overrides" section?
local-data: "click01.aditic.net A 10.10.10.1"
-
What is the advantage of putting this in the "Advanced" section instead of the "Host Overrides" section?
Ever tried to put hundreds/thousands entries in there (like, ad blocking)? :D
-
Exactly. I have 70.000+ domains excluded.
-
Seriously, I think all that's needed now it to tell people to prefix their advanced configuration with a proper clause (with a wiki/manpage link or whatever.) Prevents invalid bugs as well. (Persistent includes could be done right now via one of the file manager packages that store the files in config.xml, I guess.)
Naw, we should make sure that feeds for this are bundled in pfSense Gold!
-
I have already added DNSBL to pfBlockerNG… I have been testing this with a few Testers for a couple weeks now... I think its best to use Unbound Resolver, but its not too difficult to format the lists for DNSMasq.
pfBlockerNG already has a download list scheduler so it was easy to add this functionality. I have added Domain parsers for the following lists so far:
- yoyo
- HPHosts
- Adaway
- Malware Domains
- Someonewhocares
- WinHelp
- Malware Domain Lists
8 ) Phishtank (these are converted from URLs… so they can cause some FPs) - Emerging Threats IQRisk Domain list
- Dshield
- Bambenek GOZ
- Squid Blacklists
The domains are placed into a single list for Unbound Resolver (about 2 million malicious domains and Advert Domain).
local-data: "googlesyndication.com A 10.10.10.1"
A NAT rule on the LAN interface will forward 10.10.10.1:80 to 127.0.01:8081. Which is a new Lighttpd Web server service on the pfSense Box (VIP and NAT are customizable) … For http requests it will load the index.php file and record the event and update the widget counter. Still working on improving https alerts and trying not to do any MITM. Currently a "1x1" Gif is sent to fill the Browsers Advert space..
Unbound can also load a python script which would simplify some of this process where the script could record the Rejected Request. Other improvements could be ACL to customize the Domain Blocking as currently it will block for any DNS Request. I don't think that Unbound is currently compiled with python script ability.
Sample Logfile -
DNSBL Reject,Jan 9 22:42:16,b.scorecardresearch.com,xx.xx.xx.xx,/b?c1=1&c2=1000009&c3=Thomson%20Reuters%20LLC&c4=5Min_unknown_AOL&c5=040800&c6=News/General%20News
Here are some Screenshots of DNSBL in pfBlockerNG…
My Pull Request for pfBlockerNG v1.0 has been merged but is waiting for final review.
I hope to have the bugs worked out for DNSBL fairly soon and I will release this in v2.0
-
I know this is the Unbound Resolver thread but I wanted to chime in and say it would be really nice to get pfBlockerNG through the review process and into the packages repo. I have been one of the testers and 1) it's solid and 2) it adds a great deal of security functionality. Now that 2.2 is nearing release maybe that can happen - fingers crossed.
-
I know this is the Unbound Resolver thread but I wanted to chime in and say it would be really nice to get pfBlockerNG through the review process and into the packages repo. I have been one of the testers and 1) it's solid and 2) it adds a great deal of security functionality. Now that 2.22 is nearing release maybe that can happen - fingers crossed.
+1 to this, have enjoyed watching the progression bbcan177 has made
-
What is the advantage of putting this in the "Advanced" section instead of the "Host Overrides" section?
Ever tried to put hundreds/thousands entries in there (like, ad blocking)? :D
Something like 45,618? Wouldn't it be nice to have a package that put's it all together? Ad blocking, is that really politically correct? :P
