• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[solved] dns different results for different clients

Scheduled Pinned Locked Moved DHCP and DNS
3 Posts 2 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mcdiesel
    last edited by Jun 8, 2017, 5:35 AM

    Manager request: block youtube

    The new tag feature in Unbound can do this, with no additional components needed. More details at Unbound's home https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/.

    It's only supported in Unbound 1.5.10 onwards, so you may need to update your pfSense.

    The config is a bit long winded. Perhaps a pfSense GUI for it might appear for it in the future.

    This example blocks youtube, which is a wonderful site, but humans are easily distracted, which can be unproductive at work.

    pfSense web admin gui > Services > DNS Resolver > Custom Options

    
        # give pfSense a server: tag so it puts directives in correct place
        server:                                      
    
        # define a new tag
        define-tag: "notube"                         
    
        # create access control entry
        access-control: 10.1.1.6/32 allow
    
        # tag the access
        # allocate some ip ranges to the tag, repeat for more
        access-control-tag: 10.1.1.6/32 "notube"     
    
        # www.youtube.com is the only way to access youtube site
        #  all other language domains redirect to www.youtube.com
        #  you can verify this by the allowed domains in ssl wildcard cert
        #  Certificate Subject Alt Name
    
        #  The variants like -nocookie edu and yt.be don't serve content.
        #  The CNAME records for local caches and redirects don't serve content
        #  The cert is set HSTS (strict) so won't serve on incorrect redirects
        #  The plain http redirects everything to the https SSL
        #  Going to myriad IP addresses redirects to google search page
        #  So with local DNS control, you have tight control of access to youtube.
        #  This of course doesn't exclude proxies & tunnels, 
        #    but these require more effort & privileges on clients.
    
        # create the local-zone, and allow normal service 
        #  which allows non-blocked users access
        #  and allow all types like A and AAAA and CNAME    
        local-zone: www.youtube.com typetransparent  
    
        # tag the domain
        local-zone-tag: www.youtube.com notube       
    
        # ensure local data served first
        access-control-tag-action: 10.1.1.6/32 "notube" redirect  
    
        # Send users to your polite internal block page
        access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"
    
    
    1 Reply Last reply Reply Quote 0
    • S
      samgurung
      last edited by Aug 7, 2017, 7:42 AM

      @mcdiesel:

      Manager request: block youtube

      The new tag feature in Unbound can do this, with no additional components needed. More details at Unbound's home https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/.

      It's only supported in Unbound 1.5.10 onwards, so you may need to update your pfSense.

      The config is a bit long winded. Perhaps a pfSense GUI for it might appear for it in the future.

      This example blocks youtube, which is a wonderful site, but humans are easily distracted, which can be unproductive at work.

      pfSense web admin gui > Services > DNS Resolver > Custom Options

      
          # give pfSense a server: tag so it puts directives in correct place
          server:                                      
      
          # define a new tag
          define-tag: "notube"                         
      
          # create access control entry
          access-control: 10.1.1.6/32 allow
      
          # tag the access
          # allocate some ip ranges to the tag, repeat for more
          access-control-tag: 10.1.1.6/32 "notube"     
      
          # www.youtube.com is the only way to access youtube site
          #  all other language domains redirect to www.youtube.com
          #  you can verify this by the allowed domains in ssl wildcard cert
          #  Certificate Subject Alt Name
         
          #  The variants like -nocookie edu and yt.be don't serve content.
          #  The CNAME records for local caches and redirects don't serve content
          #  The cert is set HSTS (strict) so won't serve on incorrect redirects
          #  The plain http redirects everything to the https SSL
          #  Going to myriad IP addresses redirects to google search page
          #  So with local DNS control, you have tight control of access to youtube.
          #  This of course doesn't exclude proxies & tunnels, 
          #    but these require more effort & privileges on clients.
      
          # create the local-zone, and allow normal service 
          #  which allows non-blocked users access
          #  and allow all types like A and AAAA and CNAME    
          local-zone: www.youtube.com typetransparent  
      
          # tag the domain
          local-zone-tag: www.youtube.com notube       
      
          # ensure local data served first
          access-control-tag-action: 10.1.1.6/32 "notube" redirect  
      
          # Send users to your polite internal block page
          access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"
      
      

      I pasted the code into DNS Resolver custom options and changed the IP to match my network. Does nothing. Still can access youtube

      1 Reply Last reply Reply Quote 0
      • M
        mcdiesel
        last edited by Mar 18, 2018, 8:18 PM

        The problem could be many things, and you provide no information, so here's some things to try…

        Is pfSense dns resolver enabled?

        Are you on unbound 1.5.10 or later?

        When you save the dns resolver page, you shouldn't get any unbound config check errors.

        Does the client machine have other sources of DNS?  Does it have a local DNS cache? Does it have a dns override in it's hosts file?

        Does a dig or nslookup against the target pfSense machine return the ip address for your block page? If so the code is working, and the problem is elsewhere.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received