DNSBL as content filter on a single NIC pfSense?
zonda last edited by
Here is the scenario:
- At the branch locations there is an edge router already configured as a zone-based firewall and is also the gateway for all the VLANs onsite, no change can be made to this topology
- Little to no configuration should be done to endpoints on the LAN to enable content filtering
*Have to have visibility as to what content is being blocked to provide reports
Tried Squid, Squidguard, and Lightsquid configured on a pfSense in appliance mode with only the WAN interface configured with an IP on the user VLAN and the router is redirecting web traffic to the proxy via a route-map. This works fine for transparently filtering HTTP traffic but breaks too many sites and applications for HTTPS filtering (SSL/MITM mode set to Splice All).
Performing content filtering via DNS seems like a better option to avoid all the MITM security issues.
Can pfBlockerNG and DNSBL be configured as a content filter on a pfSense appliance that is not deployed inline with user traffic? With just one interface on the LAN and clients pointed to the pfSense as their DNS server?
Thank you in advance for any configuration help or examples.
bmeeks last edited by bmeeks
You can do this, but you will have to make a few changes to your edge router/firewall. Here is the general overview of what you must do.
Configure the DNS Resolver and then pfBlockerNG and DNSBL on the pfSense box. You basically want to operate it as a DNS Server only, so make sure your pfSense box has a statically-assigned IP address in the LAN subnet. Your pfSense box is not going to be a firewall in this scenario.
Point all of your LAN clients to the pfSense/pfBlockerNG box as their "DNS Server". I assume your current edge router/firewall is also handling DHCP for the LAN, so change the DHCP config to supply clients with the pfSense box IP as their DNS server.
Things should now work, but clients can easily bypass it by configuring their own DNS server such as using 22.214.171.124, for example. You can block this by adding some firewall rules on that edge router/firewall to redirect all DNS queries on port 53 for all clients EXCEPT the pfSense box to the pfSense box. You must let the pfSense box talk to the outside DNS servers in order for DNS to work, but you want all other LAN clients to be redirected to the pfSense box if they try any DNS lookups on UDP or TCP port 53.
zonda last edited by
Thank you for the configuration overview!
I have set this up in a lab and it does work...somewhat. A test client on the LAN with the pfSense configured as their DNS server is able to browse to allowed destinations and pages that should be blocked (using Shallalist option in DNSBL and selecting categories to block such as porn) do not load.
Unfortunately, the blocked webpage that DNSBL should redirect a client to and all the reporting features showing DNSBL stats do not work. Is this expected with this type of deployment?
bmeeks last edited by
I'm not a pfBlockerNG/DNSBL expert, but I am not sure the redirect part can work with the firewall itself being on a different box (your existing edge router). My limited understanding is the pfBlockerNG/DNSBL combo uses a web server running on the pfSense box along with a virtual IP address to do the blocking redirection.
You posted your question in the correct sub-forum, so maybe some of the experienced pfBlockerNG/DNSBL users- or the package maintainer himself - can weigh in with a possible solution for you.
joaster last edited by
Did you got it to work? I too have a single NIC pfSense appliance on the LAN with DNSBL configured. In the web interface under DNS lookups it works, good addresses resolve and bad addresses return 10.10.10.1.
I my case however the client using the appliance as DNS server does not resolve any site. Can you tell me how you got the clients on the network to resolve? And is you got redirection and reporting to work as well?
Which version of pfSense are you on? If its 2.4.4-p3, then probably related to this:
Try the patch that is there... I have posted a PR but waiting on the pfSense Devs to approve.
joaster last edited by joaster
@BBcan177 thanks for your reply.
I solved the resolving of clients myself, when the pfSense appliance is not inline (e.g. router/firewall), you have to specifically allow access to the DNS Resolver to allow for DNS requests from outside (menu: Services \ DNS Resolver \ Access Lists).
You might be right for the redirection page (I am on 2.4.4-p3), it does not show a page. The client webbrowser just hangs. As @zonda describes the reporting of DNSBL stats does not work either.
So there is still some work to do. Anyone got reporting to work on a pfSense appliance that is not inline, but installed locally on the network with one interface (LAN) only?