Blacklist using dns forwarder (dnsmasq) possible with 2.x.x embedded install?



  • Just setting up my first pfsense box, using the 512MB embedded image to a 512MB CF card.  The box I'm using has 512M ram.

    I'm migrating from a linux box which had been using iptables (firewall), dnsmasq (dns fwd), and dhcpd to handle TFTP/PXE booting.

    pfsense looks to work with "next-server" TFTP/PXE booting, firewall is a given :-), but wanted to know if my blacklist rules (formatted for dnsmasq) can still work on an embedded pfsense install?

    I'm looking to configure a caching only dnsmasq, plus add some blacklist URLs under pfsense.

    Here is my current dnsmasq.conf (from my linux box):

    
    # dnsmasq.conf - terse edition
    
    pid-file=/var/run/dnsmasq.pid
    
    nameserver 127.0.0.1                      # make dnsmasq use its own cache
    cache-size=10000                          # set cache size
    
    domain-needed  
    
    bogus-priv                                # do not forward private IP
    no-resolv                                 # do not read resolv.conf
    
    server=aaa.bbb.ccc.ddd                    # dns-01
    server=aaa.bbb.ccc.ddd                    # dns-02
    
    local=/foursquare.local/
    
    expand-hosts  
    domain=foursquare.local
    
    # =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
    
    addn-hosts=/etc/dnsmasq.d/blacklist.txt 
    addn-hosts=/etc/dnsmasq.d/ad-block-pgl.yoyo.org.hosts
    
    

    From my understanding, the default configuration for dnsmasq under pfsense consists of command line options, and that a properly formatted dnsmasq.conf file will trump any similar command line options.

    The file should be located at: /usr/local/etc/dnsmasq.conf

    I figured we could locate the blacklist.txt and the "ad-block" files somewhere within etc (perhaps a better default)?

    The PID, nameserver, and prolly the server= lines can be removed, will any others cause problems to the rest of the config?  Sorry if some of this seems fairly basic.  I'm still working thru the quirky differences in the way slackware and FreeBSD handle their configs (and default file locations)…



  • @renstyle:

    I'm still working thru the quirky differences in the way slackware and FreeBSD handle their configs (and default file locations)…

    pfSense is built on FreeBSD but it is not FreeBSD. In particular, on startup pfSense creates application configuration files from its own single configuration file. Hence there is no point tweaking application configuration files.

    You can add your custom tweaks to the dnsmasq configuration in Services -> DNS Forwarder in the Advanced section but I suspect those tweaks are command line options only, not tweaks to the generated configuration file.



  • dnsmasq thankfully does allow nearly every command line option to be specified in a .conf file, but when I looked at the additional host files I had added at the bottom they did reference a file on the file system (I assumed I could create/maintain these files myself), so I figured by extension the .conf file capability was there also.

    Thanks for the correction on the boot-mindset! :)  I'll test out the addn-hosts= from the custom tweaks and go from there.



  • @wallabybob:

    pfSense is built on FreeBSD but it is not FreeBSD. In particular, on startup pfSense creates application configuration files from its own single configuration file. Hence there is no point tweaking application configuration files.

    I've been reading up on how nanobsd handles the persistent config, as well as how the configuration files are created.  The more I delve into this, I feel more of my issues are less service/config related and more my unfamiliarity with the nanobsd "way of doing things" with the read-only filesystem, cfg slice, etc.

    I was wanting to use dnsmasq on the firewall box similar to what I had been running on my linux server, specify my home machines directly in a single hosts file on the router and use dnsmasq to offer these names locally, in addition to providing the DNS caching capability that is activated on the command line already.

    This made client-side config simple: (static IP addys, netmask, and DNS which points to the router).

    It was a more elegant solution in my case than using static-DHCP entries to assign names,dns,etc as these machines need static IPs for other uses.



  • @renstyle:

    I was wanting to use dnsmasq on the firewall box similar to what I had been running on my linux server, specify my home machines directly in a single hosts file on the router and use dnsmasq to offer these names locally,

    In the pfSense web GUI: Services -> DNS Forwarder, scroll down to Host Overrides and click on the "+" to add custom DNS entries.



  • thanks very much for that.  When I read the notes for that option it kept referring to external sites that could be redirected (I assume this is the dominant use/need for this feature), and totally missed the local-host capability.

    I just did this last nite, and it works well! :)


Locked