Blocking sites with DNS



  • Is there an easy way to block multiple sites with DNS?

    Presumably if I set up DHCP to use the DNS Forwarder, and then add domains I want to block with an IP address of 127.0.0.1 (or maybe the routers IP address) that should block them for DHCP users. Of course anyone using manual DNS settings will still see them, but it's only for ad-blocking.

    The issue I have is that I want to add a lot of domains (using a hosts.txt file from http://www.mvps.org/winhelp2002/hosts.htm) and don't want to have to enter them one at a time. Is there a way to bulk add them?



  • Why don't you install squid and put the list in the Access Control Blacklist?
    That's one of the ways it should be done. Fiddling with the DNS resolution really isn't.



  • Could go that way I guess. I just wanted to see if I could do it without the overhead of a proxy.



  • well you "could" resolve all the names to IP's and then create an alias which contains all these IP's and make a block rule with as destination these IP's.

    But this seems to be a bit of work.
    Also if the IP the a name changes….



  • You even can use hostnames in the hostaliases. The only "glitch" when doing this is that the hostnames are only resolved once on filterreloads and I think it won't work for hosts that resolve to multiple IPs. You will see a better solution for this in the next version so for now use it at your own risk.



  • Guess I'll wait for the next version then.



  • What do you think is gonna change in the next version in regard to DNS resolution or blacklist handling?



  • You will be able to use hostnames in hostsaliases which will be frequently checked for changes. If a change is detected the filter will be reloaded to update the IPs in the alias. I think Scott already has some code for this in RELENG_1 iirc.



  • Cool! That's gonna make some fancy stuff.
    But Releng to release is still a looong way to go, I'm afraid.



  • There is one more thing to keep in mind when using this kind of blocking. If x.com is hosted on the same IP like y.com and you want to block x.com it will block y.com as well as it blocks the IP that got resolved.



  • Really the point of doing it at the DNS level is that it doesn't matter if a sites IP changes, or if it is shared with another site. The DNS Forwarder just sees "doubleclick.net" and returns 127.0.0.1.



  • You can already do it this way, however then you have to make sure your clients can't manually use exrternal DNS-Servers but firewallrules will help you with that as well.



  • Well I don't really care if they use external DNS servers because it's only ad-blocking, a nice extra if they go for DHCP. It's just a shame there is no way to bulk-add domains, but at least I get can the most common ones.



  • firefox and "adblock plus" ;)



  • DNS blocking is one of the options that OpenDNS provides.
    Steps
    1. Point your DNS to OpenDNS's DNS servers.
    2. Sign up for a free account.
    3. Define your IP or use DNS-O-Matic to keep dynamic IPs in synch.
    4. Choose what you want to have blocked.

    For more details go to:
    http://forum.pfsense.org/index.php/topic,2703.msg44709.html#msg44709



  • OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…



  • @mojo-chan:

    OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…

    They gotta pay the bills somehow..  I imagine they use some bandwidth..



  • i just upgraded from 1.01 to 1.2 (new install with liveCD on a p3 with 3 nic's) and domainoverwrite doesn't seem to work : i entered ciao.de and "mapped" it to 0.0.0.0 -> flushed the (win)client dnscache with ipconfig /flushdns, then nslookup ciao.de, pfsense returns the real ip instead of 0.0.0.0/n/A. any ideas to solve this ? 1.01 worked!



  • I'm not sure if 0.0.0.0 is a completely valid address. Try something like 127.0.0.1 and see if that makes any difference.



  • Not sure if you literally showed us what you tested but in case you tried to resolve "www.ciao.de" and only entered a mapping for "ciao.de" the behaviour is correct. Don't forget to add a "www.ciao.de" mapping as well to make sure both names are sent to 127.0.0.1.



  • i tried to add "ciao.de", "www.ciao.de", changed the ip to 127.0.0.1, even to my local ip, nothing helped. changing the machine, to see if its not the winbox, i used the debianmachine, no success.

    edit: i just added "ciao.de", then tested "nslookup ciao.de" -> response was the real ip, instead of 127.0.0.1



  • I wrote about this in a different post and can confirm the bug, doing exactly the same thing.

    In previous versions, there were two methods of forwarding: by host, and by entire domain.

    To block www.yahoo.com for instance:

    first method: enter 'www' in the host field, 'yahoo.com' in the domain field, and '0.0.0.0' for the IP (blocked only www.yahoo.com)
    second method: enter 'yahoo.com' in domain, '0.0.0.0' for ip.  (This blocked anything on that domain)

    With pfsense 1.2, the second method fails.  Only 'host' type forwarding works, returning '0.0.0.0' as the IP.  Using the 'entire domain' method fails, returning the actual public IP.

    Don't bother with 'why don't you use X method'… I'm just reporting a bug.



  • Did you try adding "yahoo" as host and "com" as domain?



  • Address 0.0.0.0 might or might not be interpreted as an alias for localhost (see RFC 1122 section 3.2.1.3) depending on application, I wouldn't trust it to work as a non-valid address here. Use a made up private address or point the queries to a name server that you know to deny recursive queries.



  • 0.0.0.0 had been working, and appears that part at least still does…

    by using a previous suggestion of 'yahoo' as host and 'com' as domain, we can block 'yahoo.com' (using 0.0.0.0) but 'www.yahoo.com' still gets through.



  • I would suggest using 127.0.0.1 instead of 0.0.0.0



  • With 127.0.0.1 as the nameserver for yahoo.com you'll get this in system log and no blockage:

    Apr 10 20:40:48 dnsmasq[94422]: ignoring nameserver 127.0.0.1 - local interface
    Apr 10 20:40:48 dnsmasq[94422]: ignoring nameserver 127.0.0.1 - local interface

    With 0.0.0.0 there's not even a mention of it in the system logs, most like the entry is silently ignored.



  • Just set it to an IP in your local subnet you know has nothing running worth connecting to.
    I've set the IP to the webconfig of my managed switch.



  • You could also set it to a non existing private IP outside your subnet (10.123.234.1 or whatever) and create a firewallrule at interfaces lan to not send it out to the internet (though your isp gateway will drop it's routing anyway as it won't route private IPs).



  • I had another post that seems to have disappeared… odd...

    Anyway, found that if we use a non-existent address (as others have mentioned) such as 192.168.1.0 (I'm using 192.168.1.x network) then domain-level blocking works.

    So, 0.0.0.0 works for host-level blocking only, even though it used to work for both.


Locked