DNS Black Hole
-
-After installing the Bind service you get a new entrance in the web administration tool in Services->Bind Server, should I enable it or not?
Eh?! When bind is not running, it won't work… I'd suggest to nuke whatever you have done there, remove bind added by pkg, install the bind package from System - Packages. Whatever you do, certainly do NOT install bind twice. Horrible idea.
I'm trying it all man… this system is all new to me...
Would you advise me to install bind from the packages in the web interface or from the console? -
If someone can help me that would be great as I'm sure that there have been nay users with the same issue.
I'll put in here as much info as I can in the hope that someone could perhaps clarify this.my pfsense vm has 2 interfaces. lan (192.168.200.1) and wan (192.168.11.30), the router that connects to it has the ip 192.168.11.1
so if i understoo the guide correctly, I shoul ut a file named db.catchall in the folder /cf/named/etc/namedb/ with the folowing contents:
$TTL 604800 @ IN SOA . root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS . . IN A 192.168.200.1 *. IN A 192.168.200.1and a file named named.conf in the same folder with the folowing contents:
key "rndc-key" { algorithm hmac-md5; secret "blablabla"; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; allow-query { any; }; allow-recursion { any; }; }; zone "." { type master; file "/etc/namedb/db.catchall"; }; logging { category default { null; }; };this of course with bind started. after that i'll reset states and in the console i try to startt bind service again: named -u bind
and then test any hostbut the result i get is this:
host www.google.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: www.google.com has address 216.58.211.100wtf am i doing wrong?!
I'm about ready to give up and try another system… -
so… an update. I found out that when I restart pfsense my custom named.conf file is replaced by the original...
-
Yeah, because when you install bind via pkg, and then install it via GUI, you have two instanced killing each other and none of them working properly.
-
Yeah, because when you install bind via pkg, and then install it via GUI, you have two instanced killing each other and none of them working properly.
I haven't got 2 instances. only one… I installed via web gui.
-
When you installed via the GUI, you ONLY can manage the thing via the GUI. Anything else will be lost. The article is NOT usable "as is" for the GUI package.
-
When you installed via the GUI, you ONLY can manage the thing via the GUI. Anything else will be lost. The article is NOT usable "as is" for the GUI package.
mate I know you're trying to help me out, and I'm thankful, but that's no good.
With a new system I've installed bind from the terminal, of course I couldn't use "pkg_add -r ftp:… etc" but I used
"pkg" to install it, then "pkg update" and finally "pkg install bind99", after that i created the folder tree "/etc/namedb/" and put the configuration files in it, started bind "named -u bind" and.......nothing... still resolves the dns as if i did nothing at all...
-
You just told me that you installed via the GUI!!! Argh.
-
You just told me that you installed via the GUI!!! Argh.
I've done it every way… I've cloned the VM so I can start over every time.
I've tried a sytem with bind installation via gui, other via terminal. other with the terminal 1st and then gui, other with gui and then terminal... you name it and i've tried it... -
Dude. Pick ONE way. Debug it. Post your problems and findings (like, is bind running, can you query it, what do the queries return, logs.)
This chaos leads nowhere.
-
Dude. Pick ONE way. Debug it. Post your problems and findings (like, is bind running, can you query it, what do the queries return, logs.)
This chaos leads nowhere.
well. when i install it form the console i think it is not working. i get no response when i start it "name -u bind" but i guess that's normal, but if I try to kill it "killall -9 bind" i get "no matching processes were found" so… maybe it's not running?!
Once again this is all new to me so forgive me if this are all newb questions...
-
1/ Output of
ps ax | egrep "unbound|dnsmasq|named"2/ Output of
netstat -an | grep .53 -
1/ Output of
ps ax | egrep "unbound|dnsmasq|named"2/ Output of
netstat -an | grep .53$ ps ax | egrep "unbound|dnsmasq|named" 25106 - Is 0:00.14 /usr/local/sbin/unbound -c /var/unbound/unbound.conf 26609 - S 0:00.00 sh -c ps ax | egrep "unbound|dnsmasq|named" 2>&1 26881 - R 0:00.00 egrep unbound|dnsmasq|named 51024 - Is 0:00.04 named -u bind 51372 - Is 0:00.04 named -u bind 71067 - Is 0:00.04 named -u bind$ netstat -an | grep .53 tcp4 0 0 127.0.0.1.53 *.* LISTEN tcp4 0 0 127.0.0.1.953 *.* LISTEN tcp6 0 0 *.53 *.* LISTEN tcp4 0 0 *.53 *.* LISTEN udp4 0 0 127.0.0.1.53 *.* udp6 0 0 *.53 *.* udp4 0 0 *.53 *.* c4830560 stream 0 0 c53526a8 0 0 0 /tmp/php-fastcgi-hotspot_portal.socket-2 c48306b8 stream 0 0 c53527c4 0 0 0 /tmp/php-fastcgi-hotspot_portal.socket-1 c4830810 stream 0 0 c53376a8 0 0 0 /tmp/php-fastcgi-hotspot_portal.socket-0 c4831204 dgram 0 0 c539f000 0 c4830e1c 0 /var/dhcpd/var/run/log c4831408 dgram 0 0 c539f238 0 c4831000 0 /var/run/logpriv c483135c dgram 0 0 c539f354 0 0 0 /var/run/logI can't make sense of any of it…
-
You need to disable the DNS Resolver. Otherwise it will never work.
-
You need to disable the DNS Resolver. Otherwise it will never work.
I've tried that, but when i do it, not only the dns still resolves to the correct sites, but I loose access to the web gui.
-
1/ You cannot have two DNS servers listen on the same port. End of story. You have already 3 instanced of bind running, starting more of them won't exactly help until you make sure they can use port 53 which is already in use by unbound.
2/ Resolved from where? This needs to be tested from the clients, which need to point to pfSense for DNS.
3/ No idea what you mean by "loose access" -
1/ You cannot have two DNS servers listen on the same port. End of story. You have already 3 instanced of bind running, starting more of them won't exactly help until you make sure they can use port 53 which is already in use by unbound.
2/ Resolved from where? This needs to be tested from the clients, which need to point to pfSense for DNS.
3/ No idea what you mean by "loose access"3 sorry for the mistake, English is not my 1st language. I meant to say that after I disable DNS Resolver I can no longer access the web gui
2 I'm trying to resolve it from the terminal from the pfSense vm itself as it shows here (under Initial Testing): https://doc.pfsense.org/index.php/Creating_a_DNS_Black_Hole_for_Captive_Portal_Clients
1 I had too many instances of it because I was unsure if they where running or not. now i know and I only have one. -
How you cannot access the web GUI? Are you using FQDN that no longer resolves? Or you cannot access it using IP?
You cannot meaningfully test anything from pfSense itself unless you point it to 127.0.0.1 as DNS server – which is extremely stupid idea if all the DNS server does is a blackhole.
-
This is all moot anyway. No matter what you do with DNS if the client web browser is asking for an https connection and the captive portal gets in the middle, a certificate error must be displayed.
We, as IP networking professionals, should never, ever, EVER implement anything that, by design, will present certificate errors to users. Connections to https sites before captive portal is negotiated should simply hang. Don't like it? Don't use a captive portal.
