DNS Blackhole

  • Moderator

    Are there options to configure a DNS Blackhole with any of the pfSense packages? Preferably not Squid.


    EDIT: I guess this could be done with DNS Forwarders and using an "Alias" pointing Malicious URLs to

  • LAYER 8 Global Moderator

    You could prob install the bind package to accomplish this very easy, where you could maintain the listing vs creating host or domain over rides in the forwarder.

    I would think maybe the pfblocker would allow you to block what you want to block via lists easier than a dns blackhole, which is not really a block - just prevents resolution.  But if the client is using IP or different dns the black hole is less than effective, etc.

  • Moderator

    I already do Blocking by IP but I would like to add URL blocking also.

    The "DNS Forwarder" doesn't let the Alias populate from a file. Only way would be to edit the /etc/hosts file and add Blackholes to a list of Malicious IPs from like malwaredomains or phishtank.

    Not sure how many hosts it can hold reasonably? And I guess it would need a [ dnsmasq restart ] once the hosts are edited at an update frequency?

    Bind is on its way out, wouldn't unbound be better suited for the long haul?

    If it can be done with the Builtin DNS Forwarder it would be preferable.

    I don't mind writing a script to collect the URLs and repopulate the hosts file and restarting it…

  • BIND is definitely not "on its way" out, it's just a major overkill for a recursive caching DNS resolver if you don't need to have an authoritative server at the same time. FreeBSD 10 already defaults to having unbound in base and I think that's what you will see in pfSense 2.2 as well.

    Unbound has the capability to include configuration settings and local data entries from files. I'd guess we will see options in the webgui for those if they aren't already there.

  • Moderator

    Thanks kpa,

    I have an Internal MS AD/DNS Server which has its forwarders pointed to my ISP. So I would like to implementing a lightweight URL Blocking implementation in pfSense and than off to my ISP.

    Do you think DNSmasq is sufficient? Or should I look at unbound?

    ps - I have read a little about Bind being overbloated and with a lot of potential security issues. An article I read states that most of FreeBSDs updates were due to that package? Just regurgitating what the article stated.


  • LAYER 8 Global Moderator

    Bind is clearly not on the way out that is for sure ;)

    You asked what package can do it other than squid - bind is a package for pfsense, and can easy do a dnsblackhole setup.  Your just becoming authoritative for whatever domains you want to blackhole.

    why not just do it on your MS dns, so you out a hop in your queries..  Just make MS dns authoritative for whatever domains you want to BH. There are ways of preloading domains in MS dns.

    Blocking resolution of a domain not a very effective solution in my personal opinion - if you want to block URL based stuff, then why not just  use a proxy.  And only allow the proxy out of your network.  This is far better protection for your clients than just dns black hole.

Log in to reply