Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to conect Windows DNS server to Pfblockerng

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kapvcop
      last edited by

      Hi, how can it be the topology and how can i put the pfblockernk that a dns forwarding... like this: Windows DNS server use the pfblockerng like a dns forwarding.

      What I want is for windows to use pfblockerng as a content filter, and my users would use Windows as their DNS server. How should I configure pfsense for this?

      thanks

      1 Reply Last reply Reply Quote 0
      • M
        mcury Rebel Alliance
        last edited by

        Through the DHCP settings in the pfsense (assuming that you are using pfsense DHCP)
        Set users to use the Windows DNS server.

        Inside the Windows Server, you set a DNS forward to pfsense.

        This configuration would be something like this in case you are using Samba.

        cat /etc/samba/smb.conf (note, X.X.X.X is the pfsense DNS server).

        Global parameters

        [global]
        dns forwarder = X.X.X.X

        Inside the pfsense unbound (DNS resolver), you could set something like a domain override and point it to your Windows Server, but that is not always necessary.

        dead on arrival, nowhere to be found.

        K 1 Reply Last reply Reply Quote 0
        • K
          kapvcop @mcury
          last edited by

          @mcury ☺ Hello, thanks for the answer, in effect, I managed to get Windows to see the PFSENSE and validate it in its forwarder, now I see that the pfblockerng is not doing anything, although it is giving the answers to the server they are not going through the pfblockerng. I did a test, manually put the ip of the pfsense to a pc in the dns server part and I observe that it returns the names of the pages but it seems strange to me that I don't see that the pfblockerng doesn't show any blocking activity, in fact I can open pages that with the Pihole could not do it, that it will be failing ?, thanks in advance

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @kapvcop
            last edited by bmeeks

            @kapvcop said in How to conect Windows DNS server to Pfblockerng:

            @mcury ☺ Hello, thanks for the answer, in effect, I managed to get Windows to see the PFSENSE and validate it in its forwarder, now I see that the pfblockerng is not doing anything, although it is giving the answers to the server they are not going through the pfblockerng. I did a test, manually put the ip of the pfsense to a pc in the dns server part and I observe that it returns the names of the pages but it seems strange to me that I don't see that the pfblockerng doesn't show any blocking activity, in fact I can open pages that with the Pihole could not do it, that it will be failing ?, thanks in advance

            pfBlockerNG is not a DNS resolver or forwarder. It is an IP blocking engine that blocks by inserting rules into the pfSense firewall engine. Those inserted rules block particular IP addresses.

            I think, from your description, that you are really trying to use the DNSBL (DNS blacklist/blocklist) feature embedded within pfBlockerNG-devel. That feature works by utilizing the built-in DNS resolver in pfSense called unbound. The DNSBL feature gives unbound a list of domain names that it should return a local IP address for. By returning a local address instead of the actual IP address of that domain, things like ads get blocked.

            So first, before trying to use tools like this, you need to be sure you understand the terms "DNS resolver" versus "DNS forwarder", and then be sure you understand when you would want to use one versus the other. They are NOT the same thing at all!

            So to greatly simplify this explanation, sounds like you want your Windows clients to use a Windows DNS server. This should be an Active Directory domain controller on your LAN that is providing DNS, Active Directory and likely DHCP services in your Windows network. That Windows DNS server should be set to use forwarding mode so it sends domain name requests for any domains it is not authoritative for to an external DNS server. In your case you want that external DNS server to be your pfSense firewall's LAN IP address where the unbound DNS resolver is running. The unbound resolver should in turn be configured using the DNSBL feature of pfBlockerNG-devel so that unbound knows what DNS names it should return that "bogus" local IP address for instead of the real IP. That's how ad blocking and malware blocking works using pfBlockerNG-devel with DNSBL. You should NOT be using any kind of DNS forwarder on your firewall. You should be using the resolver feature of unbound.

            1 Reply Last reply Reply Quote 1
            • K
              kapvcop
              last edited by

              Thanks a lot that was usefully to me

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.