DNS Blacklist, New Package! Check it out.
-
Is that package the same as using squid with 0 cache + squidGuard using the urlblacklist.com filter?
-
Not really, but the same concept mainly. We're not using proxies, and are just making hostnames that you don't want allowed on your network to resolve to a specific IP rather than loading a proxy, etc.
So for instance, if you have facebook.com added to the category of denied hosts, then if anyone tried to resolve the forementioned host name then it would resolve to the IP I currently have set in the config, which is a Google IP. So all requests would be for example like so… http://www.facebook.com/games/mafiawars, would actually load http://www.google.com/games/mafiawars, which would fail, and alert you so.
I do have improvement ideas I'd like to implement in, but I won't be able to submit/commit them until mcrane is ready to do so and currently he has other projects he's working on.
-
As I understand the LAN DNS must be the pfsense DNS forwarder in order to make this package work?
10X for your effort
-
Yes, in order to use this you MUST do 1 of two things…
1: Make sure ALL clients on your LAN have the pfSense Gateway IP as their DNS IP.
2: Set any and all connections that pass through on port 53, to bind back to the router IP on port 53.
-
Are there any sense in doing this, if other DNS Services (OpenDNS) will override the settings on this??
-
In order for OpenDNS, and other DNS Services to work, you need to use their IP Address as your DNS Server IP.
The concept of OpenDNS and DNSBlacklist is about the same except the changes made to DNSBlacklist are local (on the system)
If you run DNS Blacklist, or other DNS Services like OpenDNS you can prevent people from loading other DNS Servers by forcing ALL outbound connections to port 53 to stop at the pfSense box. This way no matter where they try to resolve host names, it will always use the DNS Server on the pfSense box, be that the DNS Forwarder of OpenDNS, etc.
-
How do you specific prevent people from doing that???
How to in Pfsense???
-
Highlighted in RED.
-
I cant see anything….
-
heh, reload the page. it should show up now.
-
Does it have any effect when in that order???
-
The order for the Rules does not matter.
-
i like the idea of a block list built into pfsense, but i don't like the idea of a pfsense blocklist, if you could just create the interface so that you can make your own lists that would be great.
thanks.
- have not tried the package yet..
-
The next release will contain the ability to create your own black/white-list within the web configuration.
We will also have the ability to let users upload their own compiled blacklists into the script, or use the one prebuilt with the application.
-
Hi,
I am new to PfSense, I tried using DNS Blacklist and tried to block, Adult Porn and Online Gaming but I beleive it blocks all sites, if I try accessing any site it redirects to Google. For eg I tried indiatimes.com; yahoo.co; rediff.com and our Company website but it all gets redirected to Google, not sure if I am going wrong somewhere or do I need to work on the scripts. -
Highlighted in RED.
The order for the Rules does not matter.
Unless something has changed drastically, the order is critical as pfsense rules are evaluated from the top down. The first rule in your example would match, and pfsense will handle the packet accordingly. I'm not trying to pick on you, but that's a major nuance of pfsense and m0n0wall.
On a completely different note, when I use the DNS Blacklist with the Adult category selected, www.pandora.com is blocked, even though it is not in the domain list for the adult category as obtained from http://cri.univ-tlse1.fr/blacklists/index_en.php . Any idea as to why this is happening?
Thanks for the great package!
-
a very small bug i noticed when on the dnsblacklist.php it has no title and when clicking on the pfsense logo it redirects to a 404.
it redirects to https://domain/packages/dnsblacklist/index.php
instead of https://domain/index.php
works great though, thanks
-
So for instance, if you have facebook.com added to the category of denied hosts, then if anyone tried to resolve the forementioned host name then it would resolve to the IP I currently have set in the config, which is a Google IP.
Hi xa0z. Is there any way to simply return nothing instead of resolving to Google's IP?
-
A very good start, userfriendly. Here are some comments.
- agree with Rezin, or redirect to a configurable error page.
- So is there any LOG showing which URL match which RULES ?
- Once I checked the "Adult", then I cannot visit hk.yahoo.com. I have digged into /usr/local/www/packages/dnsblacklist/blacklists/adult and there are quite a lot of stuffs related to yahoo.
-
Hi,
i've installed pfsense yesterday and try DNS Blacklist, but it seems it doesn't block any site.
i've tried from lan and opt1 interface
each time, the only dns for the client is pfsense
dnsblacklist is activated, and i've checked many categories as adult, games, gamble, etc…
but no success
any idea ?
thanks in advance for your help