How to block a top level domain pfsense

  • Hi,

    is there anyway to block a top level domain ?

    Im trying to block all websites from a tld for example ".com".

    If there is how ?


  • For basic filtering needs, you can leverage the squid/squidGuard packages, but for anything more advanced you'll need to implement a UTM.

  • I used the dns override in the dns resolver service, it seems to work if the client does not configure a manual dns.

    Thanks anyways.

  • And you can put in block rules to port 53 anywhere that is not the pfSense interface address and/or redirect all traffic heading to some DNS port 53 to pfSense. Then people "cannot" use an outside DNS server.

    (but if they do stuff like establish a VPN from their client to their favorite VPN provider, then their DNS will be tunneled in that and so the pfSense rules will not see it to block or redirect it)

    and if they fill their local hosts file on the client with the names and IP resolutions of all their favorite "naughty" sites then they effectively have their own DNS "cache" (which will admittedly go gradually stale - but most big web sites keep a permanent IP address). So their browser will resolve site locally and then happily go of to them using the IP address.

    So there are ways for clients to get around all this stuff.

  • That's a good idea blocking the dns traffic !

    Yeah there are always ways for clientes to go around but i'm not worried, because it's for a school assignment.

    Thank you for the ideas.

  • The package pfBlockerNG will do TLD blocking using DNSBL.

  • I have tried that pachage, but for some reason it didn't work for me.

    If you know a tutorial on how to configure it that would be great !


  • The package does not work for me either. Any guide would be appreciated.

  • LAYER 8 Global Moderator

    If you want help with pfblocker, you should really post your ?'s in the package section, pointing out what version of pfsense your using and what version of the package your using.

    That being said you sure do not need pfblocker to stop simple access to tld..  Just put in a domain override for your tld and your done - just point the domain override to something that can will not return anything loopback, etc..

    Took all of 2 seconds to do..

    Clearly this would only work if the devices are actually pointing to pfsense for dns.. If they are using something else - then no it wouldn't work, so block them from using something else, or redirect their dns tcp/udp 53 traffic to pfsense and there you go works.

  • Moderator


    I have tried that pachage, but for some reason it didn't work for me.


    The package does not work for me either. Any guide would be appreciated.

    To implement this in pfBlockerNG DNSBL, just follow these basic instructions:

    Then enable the TLD option.
    Enter all of the TLDs that you would like to block ie "ru" "cn" "pw" "top" etc… into the TLD Blacklist customlist. You can click on the blue infoblock icons for further details…

    The benefit of using the TLD feature of the pfBlockerNG package is that blocking a TLD will also remove all other blocklist references to domains that have these blocked TLDs. So this will reduce the overall size of the DNSBL database...

    You can also leverage the TLD Whitelist option, to allow a specific Domain while still blocking all other domains in a TLD.

    Here is a list of the worst TLDs as reference:

    Hope that helps!

Log in to reply