Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] dns different results for different clients

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcdiesel
      last edited by

      Manager request: block youtube

      The new tag feature in Unbound can do this, with no additional components needed. More details at Unbound's home https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/.

      It's only supported in Unbound 1.5.10 onwards, so you may need to update your pfSense.

      The config is a bit long winded. Perhaps a pfSense GUI for it might appear for it in the future.

      This example blocks youtube, which is a wonderful site, but humans are easily distracted, which can be unproductive at work.

      pfSense web admin gui > Services > DNS Resolver > Custom Options

      
          # give pfSense a server: tag so it puts directives in correct place
          server:                                      
      
          # define a new tag
          define-tag: "notube"                         
      
          # create access control entry
          access-control: 10.1.1.6/32 allow
      
          # tag the access
          # allocate some ip ranges to the tag, repeat for more
          access-control-tag: 10.1.1.6/32 "notube"     
      
          # www.youtube.com is the only way to access youtube site
          #  all other language domains redirect to www.youtube.com
          #  you can verify this by the allowed domains in ssl wildcard cert
          #  Certificate Subject Alt Name
      
          #  The variants like -nocookie edu and yt.be don't serve content.
          #  The CNAME records for local caches and redirects don't serve content
          #  The cert is set HSTS (strict) so won't serve on incorrect redirects
          #  The plain http redirects everything to the https SSL
          #  Going to myriad IP addresses redirects to google search page
          #  So with local DNS control, you have tight control of access to youtube.
          #  This of course doesn't exclude proxies & tunnels, 
          #    but these require more effort & privileges on clients.
      
          # create the local-zone, and allow normal service 
          #  which allows non-blocked users access
          #  and allow all types like A and AAAA and CNAME    
          local-zone: www.youtube.com typetransparent  
      
          # tag the domain
          local-zone-tag: www.youtube.com notube       
      
          # ensure local data served first
          access-control-tag-action: 10.1.1.6/32 "notube" redirect  
      
          # Send users to your polite internal block page
          access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"
      
      
      1 Reply Last reply Reply Quote 0
      • S
        samgurung
        last edited by

        @mcdiesel:

        Manager request: block youtube

        The new tag feature in Unbound can do this, with no additional components needed. More details at Unbound's home https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/.

        It's only supported in Unbound 1.5.10 onwards, so you may need to update your pfSense.

        The config is a bit long winded. Perhaps a pfSense GUI for it might appear for it in the future.

        This example blocks youtube, which is a wonderful site, but humans are easily distracted, which can be unproductive at work.

        pfSense web admin gui > Services > DNS Resolver > Custom Options

        
            # give pfSense a server: tag so it puts directives in correct place
            server:                                      
        
            # define a new tag
            define-tag: "notube"                         
        
            # create access control entry
            access-control: 10.1.1.6/32 allow
        
            # tag the access
            # allocate some ip ranges to the tag, repeat for more
            access-control-tag: 10.1.1.6/32 "notube"     
        
            # www.youtube.com is the only way to access youtube site
            #  all other language domains redirect to www.youtube.com
            #  you can verify this by the allowed domains in ssl wildcard cert
            #  Certificate Subject Alt Name
           
            #  The variants like -nocookie edu and yt.be don't serve content.
            #  The CNAME records for local caches and redirects don't serve content
            #  The cert is set HSTS (strict) so won't serve on incorrect redirects
            #  The plain http redirects everything to the https SSL
            #  Going to myriad IP addresses redirects to google search page
            #  So with local DNS control, you have tight control of access to youtube.
            #  This of course doesn't exclude proxies & tunnels, 
            #    but these require more effort & privileges on clients.
        
            # create the local-zone, and allow normal service 
            #  which allows non-blocked users access
            #  and allow all types like A and AAAA and CNAME    
            local-zone: www.youtube.com typetransparent  
        
            # tag the domain
            local-zone-tag: www.youtube.com notube       
        
            # ensure local data served first
            access-control-tag-action: 10.1.1.6/32 "notube" redirect  
        
            # Send users to your polite internal block page
            access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"
        
        

        I pasted the code into DNS Resolver custom options and changed the IP to match my network. Does nothing. Still can access youtube

        1 Reply Last reply Reply Quote 0
        • M
          mcdiesel
          last edited by

          The problem could be many things, and you provide no information, so here's some things to try…

          Is pfSense dns resolver enabled?

          Are you on unbound 1.5.10 or later?

          When you save the dns resolver page, you shouldn't get any unbound config check errors.

          Does the client machine have other sources of DNS?  Does it have a local DNS cache? Does it have a dns override in it's hosts file?

          Does a dig or nslookup against the target pfSense machine return the ip address for your block page? If so the code is working, and the problem is elsewhere.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.