DNS Blacklist, New Package! Check it out.

Supermule

http://www.countryipblocks.net/

Is the site you want for the Country IP blacklist….

xa0z

Maybe the IP Blacklist is something mcrane can do as another package.  My package is dealing with DNS, and you can't do an IP Blacklist with DNS.  Doing an IP Blacklist would require modifying your iptables to block route to the IPs or Subnets selected, and that's not exactly something I want to mess with, especially at this time anyway.

xa0z

Here is a little teaser for you guys…  I still need to work on how we read/edit the blacklist.  I was doing it with PHP but it uses too much RAM, so now we're doing it in sh which runs a lot quicker.  Just need a little more time, so please be patient.

jaime

@xa0z:

Here is a little teaser for you guys…  I still need to work on how we read/edit the blacklist.  I was doing it with PHP but it uses too much RAM, so now we're doing it in sh which runs a lot quicker.  Just need a little more time, so please be patient.

I don't mind waiting, take your time, I would rather wait and have you get it correctly working then to be rushed and have it break something, thanks for working on it further!

kiko-lpa

Hi,

First of all thanks for the package.

I am moving my PFsense 1.2.3 to newer hardware and would like to use DNS Blacklist with new install. I have tried and like how it works and the idea.

I am having a problem that I have no been able to solve, probably missing something or don't know full usage of the package. At my company we are using Google Apps for email and other services, the email accounts are setup for POP and SMTP use and have email clients configured.

If DNS Blaclist is enable with only adult filter the smtp and pop.gmail.com becomes inaccessible, if I disable the adult filter or DNS Blacklist, everything works well again. For your knowledge google emails uses SSL ports for email configuration, ports 465 and 995.

I have looked in the /adults/domain, /url and /expressions files and have no found anything for gmail.

For the moment I have to stop the use until whitelist will be available or find a solution for my problem.

¿Any suggestions or Idea?

Many Thanks  :-\

jaime

more then likely whats going on is that site or what ever your trying to access (even though safe) happens to share a DNS server that is with in the black list…least thats my conclusion that makes the most sense to me...

kiko-lpa

@jaime:

more then likely whats going on is that site or what ever your trying to access (even though safe) happens to share a DNS server that is with in the black list…least thats my conclusion that makes the most sense to me...

My apologies, I'll explain what has happed on a seccond review.

1. I use WinSCP to access my box, I used the text editor included in winSCP and the search function did not work so could no find what I was looking for.
2. When changes are made to DNS Blacklist, have to disable and enable the package again, then it reload settings
3. Have to do a DNS Flush on my PC, Windows, so I clean DNS destinations.

As I said need further information to use properly, would suggest a manual for the application and if you wish I could set a Google Apps document for you where collaborative work for editing and share could be applied. Also could make some translations on it.

Thanks

jaime

now when you change the settings (and reload the package to make said changes take effect) then flush the DNS on the PC's does it work correctly, or does it block needed sites? or does it block them before the DNS flush?

xa0z

Okay guys.  What other "addons" do we need?  We already have the category section, the manual addition of both whitelisting and blacklisting.

We can't do blocking by IP only so that's out.  I can't really think of too much more.

shadowteller

@xa0z:

Okay guys.  What other "addons" do we need?   We already have the category section, the manual addition of both whitelisting and blacklisting.

Been a while since I have checked this project out, however at the time it redirected a blocked page to google.  The ability to set up a custom redirect would be awesome.

With Regards….

jaime

hmmm…I was thinking about that my self too and I think that would be something really good to have also (not all of us prefer to use/redirect to google...lol!)

xa0z

You can change the IP to redirect to.  But since we're using DNSMasq, we can only tell it an IP to resolve to.  We can't use hostnames without also telling the server that such and such IP should reverse to such and such domain.  Using the google IP was easiest, but you can just put it as 0.0.0.0 if you want.

jaime

and I am gonna guess that it is changed in the CFG file or what ever or will the interface have that built in?

shadowteller

Yeah you can hardcode the IP address.  Would be nice if you could extend it with a specific file name.  ie 192.168.0.2/banned.html

cybrsrfr

I created a web server package for pfsense called vhosts. You could put your custom message on one of the virtual hosts. And simply have this package point to it.

DWAyotte

I think I found a small bug. When you are in Services > DNS Blacklist and you click on the pfSense logo in the top (I use the code-red theme btw) which takes you to Status > System or in other words "Home". It is a bad link, it tries to send you here: https://1.2.3.4/packages/dnsblacklist/index.php which is a 404 not found (tested on 2 seperate FWs).

Also, just wondering. Will it be possible to query lists such as the Spamhaus DROP list?
http://www.spamhaus.org/drop/
Even being able to query their Zen list would be awesome, it would help take a little load off of mail servers that utilize the zen list for spam prevention.
http://www.spamhaus.org/zen/

Kudos on the package by the way, I have long since wanted something similar to opendns that is built into pfsense so you don't have to deal with the opendns bullcrap! Many thanks and great work.

jaime

will this be an auto update package that can be updated through the GUI or must it be installed via shell or what ever?

jigpe

Hi whats the name of you channel in freenode again?

cronist

the "adult" section of dns blacklist prevents to login facebook coz of it works on IP based.
so all the domains hosted on the same server is blocked.
when i tried to login facebook by fill the username and password, i am getting google home page with *.google.com certificate.
how can i solve this issue?

ginosteel

after installed the package i got:

May 17 01:53:11 dnsmasq[2526]: cannot read /usr/local/etc/dnsmasq.blacklist.conf: No such file or directory
May 17 01:53:11 dnsmasq[2526]: cannot read /usr/local/etc/dnsmasq.blacklist.conf: No such file or directory
May 17 01:53:11 dnsmasq[2526]: FAILED to start up
May 17 01:53:11 dnsmasq[2526]: FAILED to start up
May 17 01:53:12 php: /index.php: [DEBUG] Lock recursion detected.

and all was messed up and even my own dns could`t resolve