Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Black Hole

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dryden
      last edited by

      @doktornotor:

      When you installed via the GUI, you ONLY can manage the thing via the GUI. Anything else will be lost. The article is NOT usable "as is" for the GUI package.

      mate I know you're trying to help me out, and I'm thankful, but that's no good.
      With a new system I've installed bind from the terminal, of course I couldn't use "pkg_add -r ftp:… etc" but I used
      "pkg" to install it, then "pkg update" and finally "pkg install bind99", after that i created the folder tree "/etc/namedb/" and put the configuration files in it, started bind "named -u bind" and.......

      nothing... still resolves the dns as if i did nothing at all...

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        You just told me that you installed via the GUI!!! Argh.

        1 Reply Last reply Reply Quote 0
        • D Offline
          dryden
          last edited by

          @doktornotor:

          You just told me that you installed via the GUI!!! Argh.

          I've done it every way… I've cloned the VM so I can start over every time.
          I've tried a sytem with bind installation via gui, other via terminal. other with the terminal 1st and then gui, other with gui and then terminal... you name it and i've tried it...

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            Dude. Pick ONE way. Debug it. Post your problems and findings (like, is bind running, can you query it, what do the queries return, logs.)

            This chaos leads nowhere.

            1 Reply Last reply Reply Quote 0
            • D Offline
              dryden
              last edited by

              @doktornotor:

              Dude. Pick ONE way. Debug it. Post your problems and findings (like, is bind running, can you query it, what do the queries return, logs.)

              This chaos leads nowhere.

              well. when i install it form the console i think it is not working. i get no response when i start it "name -u bind" but i guess that's normal, but if I try to kill it "killall -9 bind" i get "no matching processes were found" so… maybe it's not running?!

              Once again this is all new to me so forgive me if this are all newb questions...

              1 Reply Last reply Reply Quote 0
              • D Offline
                doktornotor Banned
                last edited by

                1/ Output of

                
                ps ax | egrep "unbound|dnsmasq|named"
                
                

                2/ Output of

                
                netstat -an | grep .53
                
                
                1 Reply Last reply Reply Quote 0
                • D Offline
                  dryden
                  last edited by

                  @doktornotor:

                  1/ Output of

                  
                  ps ax | egrep "unbound|dnsmasq|named"
                  
                  

                  2/ Output of

                  
                  netstat -an | grep .53
                  
                  
                  $ ps ax | egrep "unbound|dnsmasq|named"
                  25106  -  Is     0:00.14 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
                  26609  -  S      0:00.00 sh -c ps ax | egrep "unbound|dnsmasq|named" 2>&1
                  26881  -  R      0:00.00 egrep unbound|dnsmasq|named
                  51024  -  Is     0:00.04 named -u bind
                  51372  -  Is     0:00.04 named -u bind
                  71067  -  Is     0:00.04 named -u bind
                  
                  
                  $ netstat -an | grep .53
                  tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
                  tcp4       0      0 127.0.0.1.953          *.*                    LISTEN
                  tcp6       0      0 *.53                   *.*                    LISTEN
                  tcp4       0      0 *.53                   *.*                    LISTEN
                  udp4       0      0 127.0.0.1.53           *.*                    
                  udp6       0      0 *.53                   *.*                    
                  udp4       0      0 *.53                   *.*                    
                  c4830560 stream      0      0 c53526a8        0        0        0 /tmp/php-fastcgi-hotspot_portal.socket-2
                  c48306b8 stream      0      0 c53527c4        0        0        0 /tmp/php-fastcgi-hotspot_portal.socket-1
                  c4830810 stream      0      0 c53376a8        0        0        0 /tmp/php-fastcgi-hotspot_portal.socket-0
                  c4831204 dgram       0      0 c539f000        0 c4830e1c        0 /var/dhcpd/var/run/log
                  c4831408 dgram       0      0 c539f238        0 c4831000        0 /var/run/logpriv
                  c483135c dgram       0      0 c539f354        0        0        0 /var/run/log
                  

                  I can't make sense of any of it…

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    doktornotor Banned
                    last edited by

                    You need to disable the DNS Resolver. Otherwise it will never work.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dryden
                      last edited by

                      @doktornotor:

                      You need to disable the DNS Resolver. Otherwise it will never work.

                      I've tried that, but when i do it, not only the dns still resolves to the correct sites, but I loose access to the web gui.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        1/ You cannot have two DNS servers listen on the same port. End of story. You have already 3 instanced of bind running, starting more of them won't exactly help until you make sure they can use port 53 which is already in use by unbound.
                        2/ Resolved from where? This needs to be tested from the clients, which need to point to pfSense for DNS.
                        3/ No idea what you mean by "loose access"

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          dryden
                          last edited by

                          @doktornotor:

                          1/ You cannot have two DNS servers listen on the same port. End of story. You have already 3 instanced of bind running, starting more of them won't exactly help until you make sure they can use port 53 which is already in use by unbound.
                          2/ Resolved from where? This needs to be tested from the clients, which need to point to pfSense for DNS.
                          3/ No idea what you mean by "loose access"

                          3 sorry for the mistake, English is not my 1st language. I meant to say that after I disable DNS Resolver I can no longer access the web gui
                          2 I'm trying to resolve it from the terminal from the pfSense vm itself as it shows here (under Initial Testing): https://doc.pfsense.org/index.php/Creating_a_DNS_Black_Hole_for_Captive_Portal_Clients
                          1 I had too many instances of it because I was unsure if they where running or not. now i know and I only have one.

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            doktornotor Banned
                            last edited by

                            How you cannot access the web GUI? Are you using FQDN that no longer resolves? Or you cannot access it using IP?

                            You cannot meaningfully test anything from pfSense itself unless you point it to 127.0.0.1 as DNS server – which is extremely stupid idea if all the DNS server does is a blackhole.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD Offline
                              Derelict LAYER 8 Netgate
                              last edited by

                              This is all moot anyway.  No matter what you do with DNS if the client web browser is asking for an https connection and the captive portal gets in the middle, a certificate error must be displayed.

                              We, as IP networking professionals, should never, ever, EVER implement anything that, by design, will present certificate errors to users.  Connections to https sites before captive portal is negotiated should simply hang.  Don't like it?  Don't use a captive portal.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.