DNS Blacklist, New Package! Check it out.
-
Mine is running fine.
1.2.3-RC2
built on Sat Jul 18 19:19:52 EDT 2009
FreeBSD 7.2-RELEASE-p2 i386DNS Blacklist 0.2.4
Yes, after the installation of DNS Blacklist. I have to manual restart the services.
My Box run in Bridge mode, I guess yours are different in NAT mode.
Davc
-
After installing DNS Blacklist you shouldn't be required to restart dnsmasq as nothing is edited that pertains to dnsmasq at the time. DNS Blacklist adds the dnsmasq.conf, and dnsmasq.blacklist.conf files into /usr/local/etc/. When DNS Blacklist is enabled it adds a string into dnsmasq.conf to load the dnsmasq.blacklist.conf file, then restarts dnsmasq. Any of the categories you select are entered within the dnsmasq.blacklist.conf file and that is what allows us to filter dns querys to the local server.
I am in no way out to seek any money from anyone for the blacklist database I'm putting together. I can maintain a "main blacklist" but users would be free to add their own domains that aren't already listed. Here soon I'll work on adding a custom Blacklist/Whitelist text area for you to enter your own on the fly.
If you want to block all https, you need to put a block on dport:443, that isn't associated with DNS Blacklist.
-
| If you want to block all https, you need to put a block on dport:443, that isn't associated with DNS Blacklist.
- I dont want to block 443 from Firewall LAn.. Some users needs to access legitimate https sites…. Kindly show us the right way xa0z? Thanks
jigp |
-
I can't really thank you enough for putting in the effort for this package. This is exactly what my place of employment has been looking for to push us off of using WatchGuard Fireboxes and moving to a custom-built firewall running pfSense.
Thanks, and if you need any help, let me know!
-
Is that package the same as using squid with 0 cache + squidGuard using the urlblacklist.com filter?
-
Not really, but the same concept mainly. We're not using proxies, and are just making hostnames that you don't want allowed on your network to resolve to a specific IP rather than loading a proxy, etc.
So for instance, if you have facebook.com added to the category of denied hosts, then if anyone tried to resolve the forementioned host name then it would resolve to the IP I currently have set in the config, which is a Google IP. So all requests would be for example like so… http://www.facebook.com/games/mafiawars, would actually load http://www.google.com/games/mafiawars, which would fail, and alert you so.
I do have improvement ideas I'd like to implement in, but I won't be able to submit/commit them until mcrane is ready to do so and currently he has other projects he's working on.
-
As I understand the LAN DNS must be the pfsense DNS forwarder in order to make this package work?
10X for your effort
-
Yes, in order to use this you MUST do 1 of two things…
1: Make sure ALL clients on your LAN have the pfSense Gateway IP as their DNS IP.
2: Set any and all connections that pass through on port 53, to bind back to the router IP on port 53.
-
Are there any sense in doing this, if other DNS Services (OpenDNS) will override the settings on this??
-
In order for OpenDNS, and other DNS Services to work, you need to use their IP Address as your DNS Server IP.
The concept of OpenDNS and DNSBlacklist is about the same except the changes made to DNSBlacklist are local (on the system)
If you run DNS Blacklist, or other DNS Services like OpenDNS you can prevent people from loading other DNS Servers by forcing ALL outbound connections to port 53 to stop at the pfSense box. This way no matter where they try to resolve host names, it will always use the DNS Server on the pfSense box, be that the DNS Forwarder of OpenDNS, etc.
-
How do you specific prevent people from doing that???
How to in Pfsense???
-
Highlighted in RED.
-
I cant see anything….
-
heh, reload the page. it should show up now.
-
Does it have any effect when in that order???
-
The order for the Rules does not matter.
-
i like the idea of a block list built into pfsense, but i don't like the idea of a pfsense blocklist, if you could just create the interface so that you can make your own lists that would be great.
thanks.
- have not tried the package yet..
-
The next release will contain the ability to create your own black/white-list within the web configuration.
We will also have the ability to let users upload their own compiled blacklists into the script, or use the one prebuilt with the application.
-
Hi,
I am new to PfSense, I tried using DNS Blacklist and tried to block, Adult Porn and Online Gaming but I beleive it blocks all sites, if I try accessing any site it redirects to Google. For eg I tried indiatimes.com; yahoo.co; rediff.com and our Company website but it all gets redirected to Google, not sure if I am going wrong somewhere or do I need to work on the scripts. -
Highlighted in RED.
The order for the Rules does not matter.
Unless something has changed drastically, the order is critical as pfsense rules are evaluated from the top down. The first rule in your example would match, and pfsense will handle the packet accordingly. I'm not trying to pick on you, but that's a major nuance of pfsense and m0n0wall.
On a completely different note, when I use the DNS Blacklist with the Adult category selected, www.pandora.com is blocked, even though it is not in the domain list for the adult category as obtained from http://cri.univ-tlse1.fr/blacklists/index_en.php . Any idea as to why this is happening?
Thanks for the great package!