adult content and malware filtering using DNS
-
Hello,
this is a simple way to filter porn .1 at general settings and put 1.1.1.3 and 1.0.0.3
2 add to > Services > DNS Forwarder > Custom options: server=/use-application-dns.net/Notes
if you host a mail server: the mail system can not use public dns servers. It uses comcast's 75.75.75.75 and 75.75.76.76 . Note using public dns servers caused some email to be not get in. Per Postfix author Wietse public dns servers should not be used when checking blacklists.firefox has an issue. if a user choose to use dns over https , then our dns servers will not be used for WAN. dns over https can be turned off at firefox settings.
see https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet ,
https://github.com/alblue/dnsmasq-example/blob/main/dnsmasq.d/dns-no-doh.conf
https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families -
Take this part of the postfix manual, written by the same author : DANE TLS authentication
It boils down to : use a local available resolver. So : not a forwarder as dnsmasq.
If this local resolver, and it's named with its name : unbound, by default available and active when you install pfSense, you can have "all the DNS you need" and reach the bottom of the DNS pit : you use DANE (for mail delivery = the mail client, DANE doesn't apply to the mail server).Ok to use a remote, commercial or other resolver like 1113 or 1003.
@robfantini said in adult content and malware filtering using DNS:
if you host a mail server: the mail system can not use public dns servers.
And why not ?
@robfantini said in adult content and malware filtering using DNS:
It uses comcast's 75.75.75.75 and 75.75.76.76
postfix doesn't know who they are. Why would it use comcast's resolvers ?
I presume these are your ISP revolvers, made available to you "if needed". A ISP client that uses pfSense, like you and me, do'nt need the DNS services of our ISP. "We don't care" as we can tap into the one and only DNS source available on the Internet : the DNS root servers.
You went one step further by not using the ISP mail capabilities : you created your own mail server.
That is : a mail server behind an ISP A, AAAA (MX), your WAN IP : be careful : these IP's are listed on DNSBLs used by the big mail players. Most of world's ISP clients can't even send mail to any destination, port 25, except the mail server of their ISP. This means : hosting a mail server @home is mission impossible. Lucky you if your ISP permits the usage of port 25, but still : be careful : your IP is known as an ISP IP, so the big players can/will behave accordingly (ditching your mail as 'spam' by default, or worse).@robfantini said in adult content and malware filtering using DNS:
using public dns servers caused some email to be not get in
Why ?
if you want to send me a mail at postmaster at test-domaine dot fr (A domain I use for testing purposes) then 1.1.1.3 or any other public resolver will give you all that is needed :[23.05.1-RELEASE][root@pfSense.bhf.tld]/root: dig @1.1.1.3 test-domaine.fr MX +short 10 mail.test-domaine.fr. [23.05.1-RELEASE][root@pfSense.bhf.tld]/root: dig @1.1.1.3 mail.test-domaine.fr A +short 5.196.43.182
My mail server lives at that address, a dedicated server, somewhere in a data center.
Lets reverse :[23.05.1-RELEASE][root@pfSense.bhf.tld]/root: dig @1.1.1.3 -x 5.196.43.182 +short mail.test-domaine.fr.
@robfantini said in adult content and malware filtering using DNS:
Per Postfix author Wietse public dns servers should not be used when checking blacklists
He, or the authors of postfix, say (I copy) :
Therefore, it is strongly recommended (DANE security guarantee void otherwise) that each MTA run a local DNSSEC-validating recursive resolver ("unbound" from nlnetlabs.nl is a reasonable choice) listening on the loopback interface, and that the system be configured to use only this local nameserver. The local nameserver may forward queries to an upstream recursive resolver on another host if desired.
So, good news : pfSense using default settings is the perfect choice.
No forwarding .... (but you could if desired)@robfantini said in adult content and malware filtering using DNS:
firefox has an issue
Firefox , IMHO, wants to protect the end user, the guy that uses the browser.
As such, it will distrust any "MITM DNS" sources like the pfSense resolver, and tap into the DNS system it has chosen to trust and not using the classic DNS traffic to port 53 (== non TLS), so very visible during transit. It will use DOH or DOT, both using TLS, to reach known revolvers available on the Internet. A design choice you can accept or reject.Way in the past, I told my Firefox to use my own local network's DNS, running on pfSense. As pfSense/unbound uses DNSSEC, if available, and I prefer by far to get a known good DNS answer over a possible spoofed one. And yes, I don't care 'some one' can see that I visit "forum.netgate.com" or "www.google.com". This is a personal choice of course.
Btw : Edge, Chrome, etc all use by default DOH or DOT when you install them, not only Firefox.
-
Thank you for the correction.
The issue with using a public dns server is that DNS blocklist lookups can get blocked leading to mail acceptance issues. When I used Cloudflare DNS we had a few emails that were not accepted.
I tried to edit my post above to remove the internal setting of Comcast DBS [ our ISP provider ] .
I suppose running bind on our mail server is the best way to go