[solved] dns different results for different clients
-
Manager request: block youtube
The new tag feature in Unbound can do this, with no additional components needed. More details at Unbound's home https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/.
It's only supported in Unbound 1.5.10 onwards, so you may need to update your pfSense.
The config is a bit long winded. Perhaps a pfSense GUI for it might appear for it in the future.
This example blocks youtube, which is a wonderful site, but humans are easily distracted, which can be unproductive at work.
pfSense web admin gui > Services > DNS Resolver > Custom Options
# give pfSense a server: tag so it puts directives in correct place server: # define a new tag define-tag: "notube" # create access control entry access-control: 10.1.1.6/32 allow # tag the access # allocate some ip ranges to the tag, repeat for more access-control-tag: 10.1.1.6/32 "notube" # www.youtube.com is the only way to access youtube site # all other language domains redirect to www.youtube.com # you can verify this by the allowed domains in ssl wildcard cert # Certificate Subject Alt Name # The variants like -nocookie edu and yt.be don't serve content. # The CNAME records for local caches and redirects don't serve content # The cert is set HSTS (strict) so won't serve on incorrect redirects # The plain http redirects everything to the https SSL # Going to myriad IP addresses redirects to google search page # So with local DNS control, you have tight control of access to youtube. # This of course doesn't exclude proxies & tunnels, # but these require more effort & privileges on clients. # create the local-zone, and allow normal service # which allows non-blocked users access # and allow all types like A and AAAA and CNAME local-zone: www.youtube.com typetransparent # tag the domain local-zone-tag: www.youtube.com notube # ensure local data served first access-control-tag-action: 10.1.1.6/32 "notube" redirect # Send users to your polite internal block page access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34" -
Manager request: block youtube
The new tag feature in Unbound can do this, with no additional components needed. More details at Unbound's home https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/.
It's only supported in Unbound 1.5.10 onwards, so you may need to update your pfSense.
The config is a bit long winded. Perhaps a pfSense GUI for it might appear for it in the future.
This example blocks youtube, which is a wonderful site, but humans are easily distracted, which can be unproductive at work.
pfSense web admin gui > Services > DNS Resolver > Custom Options
# give pfSense a server: tag so it puts directives in correct place server: # define a new tag define-tag: "notube" # create access control entry access-control: 10.1.1.6/32 allow # tag the access # allocate some ip ranges to the tag, repeat for more access-control-tag: 10.1.1.6/32 "notube" # www.youtube.com is the only way to access youtube site # all other language domains redirect to www.youtube.com # you can verify this by the allowed domains in ssl wildcard cert # Certificate Subject Alt Name # The variants like -nocookie edu and yt.be don't serve content. # The CNAME records for local caches and redirects don't serve content # The cert is set HSTS (strict) so won't serve on incorrect redirects # The plain http redirects everything to the https SSL # Going to myriad IP addresses redirects to google search page # So with local DNS control, you have tight control of access to youtube. # This of course doesn't exclude proxies & tunnels, # but these require more effort & privileges on clients. # create the local-zone, and allow normal service # which allows non-blocked users access # and allow all types like A and AAAA and CNAME local-zone: www.youtube.com typetransparent # tag the domain local-zone-tag: www.youtube.com notube # ensure local data served first access-control-tag-action: 10.1.1.6/32 "notube" redirect # Send users to your polite internal block page access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"I pasted the code into DNS Resolver custom options and changed the IP to match my network. Does nothing. Still can access youtube
-
The problem could be many things, and you provide no information, so here's some things to try…
Is pfSense dns resolver enabled?
Are you on unbound 1.5.10 or later?
When you save the dns resolver page, you shouldn't get any unbound config check errors.
Does the client machine have other sources of DNS? Does it have a local DNS cache? Does it have a dns override in it's hosts file?
Does a dig or nslookup against the target pfSense machine return the ip address for your block page? If so the code is working, and the problem is elsewhere.