How to conect Windows DNS server to Pfblockerng



  • Hi, how can it be the topology and how can i put the pfblockernk that a dns forwarding... like this: Windows DNS server use the pfblockerng like a dns forwarding.

    What I want is for windows to use pfblockerng as a content filter, and my users would use Windows as their DNS server. How should I configure pfsense for this?

    thanks



  • Through the DHCP settings in the pfsense (assuming that you are using pfsense DHCP)
    Set users to use the Windows DNS server.

    Inside the Windows Server, you set a DNS forward to pfsense.

    This configuration would be something like this in case you are using Samba.

    cat /etc/samba/smb.conf (note, X.X.X.X is the pfsense DNS server).

    Global parameters

    [global]
    dns forwarder = X.X.X.X

    Inside the pfsense unbound (DNS resolver), you could set something like a domain override and point it to your Windows Server, but that is not always necessary.



  • @mcury ☺ Hello, thanks for the answer, in effect, I managed to get Windows to see the PFSENSE and validate it in its forwarder, now I see that the pfblockerng is not doing anything, although it is giving the answers to the server they are not going through the pfblockerng. I did a test, manually put the ip of the pfsense to a pc in the dns server part and I observe that it returns the names of the pages but it seems strange to me that I don't see that the pfblockerng doesn't show any blocking activity, in fact I can open pages that with the Pihole could not do it, that it will be failing ?, thanks in advance



  • @kapvcop said in How to conect Windows DNS server to Pfblockerng:

    @mcury ☺ Hello, thanks for the answer, in effect, I managed to get Windows to see the PFSENSE and validate it in its forwarder, now I see that the pfblockerng is not doing anything, although it is giving the answers to the server they are not going through the pfblockerng. I did a test, manually put the ip of the pfsense to a pc in the dns server part and I observe that it returns the names of the pages but it seems strange to me that I don't see that the pfblockerng doesn't show any blocking activity, in fact I can open pages that with the Pihole could not do it, that it will be failing ?, thanks in advance

    pfBlockerNG is not a DNS resolver or forwarder. It is an IP blocking engine that blocks by inserting rules into the pfSense firewall engine. Those inserted rules block particular IP addresses.

    I think, from your description, that you are really trying to use the DNSBL (DNS blacklist/blocklist) feature embedded within pfBlockerNG-devel. That feature works by utilizing the built-in DNS resolver in pfSense called unbound. The DNSBL feature gives unbound a list of domain names that it should return a local IP address for. By returning a local address instead of the actual IP address of that domain, things like ads get blocked.

    So first, before trying to use tools like this, you need to be sure you understand the terms "DNS resolver" versus "DNS forwarder", and then be sure you understand when you would want to use one versus the other. They are NOT the same thing at all!

    So to greatly simplify this explanation, sounds like you want your Windows clients to use a Windows DNS server. This should be an Active Directory domain controller on your LAN that is providing DNS, Active Directory and likely DHCP services in your Windows network. That Windows DNS server should be set to use forwarding mode so it sends domain name requests for any domains it is not authoritative for to an external DNS server. In your case you want that external DNS server to be your pfSense firewall's LAN IP address where the unbound DNS resolver is running. The unbound resolver should in turn be configured using the DNSBL feature of pfBlockerNG-devel so that unbound knows what DNS names it should return that "bogus" local IP address for instead of the real IP. That's how ad blocking and malware blocking works using pfBlockerNG-devel with DNSBL. You should NOT be using any kind of DNS forwarder on your firewall. You should be using the resolver feature of unbound.



  • Thanks a lot that was usefully to me


Log in to reply