Blocking sites with DNS
-
Guess I'll wait for the next version then.
-
What do you think is gonna change in the next version in regard to DNS resolution or blacklist handling?
-
You will be able to use hostnames in hostsaliases which will be frequently checked for changes. If a change is detected the filter will be reloaded to update the IPs in the alias. I think Scott already has some code for this in RELENG_1 iirc.
-
Cool! That's gonna make some fancy stuff.
But Releng to release is still a looong way to go, I'm afraid. -
There is one more thing to keep in mind when using this kind of blocking. If x.com is hosted on the same IP like y.com and you want to block x.com it will block y.com as well as it blocks the IP that got resolved.
-
Really the point of doing it at the DNS level is that it doesn't matter if a sites IP changes, or if it is shared with another site. The DNS Forwarder just sees "doubleclick.net" and returns 127.0.0.1.
-
You can already do it this way, however then you have to make sure your clients can't manually use exrternal DNS-Servers but firewallrules will help you with that as well.
-
Well I don't really care if they use external DNS servers because it's only ad-blocking, a nice extra if they go for DHCP. It's just a shame there is no way to bulk-add domains, but at least I get can the most common ones.
-
firefox and "adblock plus" ;)
-
DNS blocking is one of the options that OpenDNS provides.
Steps
1. Point your DNS to OpenDNS's DNS servers.
2. Sign up for a free account.
3. Define your IP or use DNS-O-Matic to keep dynamic IPs in synch.
4. Choose what you want to have blocked.For more details go to:
http://forum.pfsense.org/index.php/topic,2703.msg44709.html#msg44709 -
OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…
-
OpenDNS looks interesting, except their stupid advertising on unknown domains. Maybe I could write a rule to block that…
They gotta pay the bills somehow.. I imagine they use some bandwidth..
-
i just upgraded from 1.01 to 1.2 (new install with liveCD on a p3 with 3 nic's) and domainoverwrite doesn't seem to work : i entered ciao.de and "mapped" it to 0.0.0.0 -> flushed the (win)client dnscache with ipconfig /flushdns, then nslookup ciao.de, pfsense returns the real ip instead of 0.0.0.0/n/A. any ideas to solve this ? 1.01 worked!
-
I'm not sure if 0.0.0.0 is a completely valid address. Try something like 127.0.0.1 and see if that makes any difference.
-
Not sure if you literally showed us what you tested but in case you tried to resolve "www.ciao.de" and only entered a mapping for "ciao.de" the behaviour is correct. Don't forget to add a "www.ciao.de" mapping as well to make sure both names are sent to 127.0.0.1.
-
i tried to add "ciao.de", "www.ciao.de", changed the ip to 127.0.0.1, even to my local ip, nothing helped. changing the machine, to see if its not the winbox, i used the debianmachine, no success.
edit: i just added "ciao.de", then tested "nslookup ciao.de" -> response was the real ip, instead of 127.0.0.1
-
I wrote about this in a different post and can confirm the bug, doing exactly the same thing.
In previous versions, there were two methods of forwarding: by host, and by entire domain.
To block www.yahoo.com for instance:
first method: enter 'www' in the host field, 'yahoo.com' in the domain field, and '0.0.0.0' for the IP (blocked only www.yahoo.com)
second method: enter 'yahoo.com' in domain, '0.0.0.0' for ip. (This blocked anything on that domain)With pfsense 1.2, the second method fails. Only 'host' type forwarding works, returning '0.0.0.0' as the IP. Using the 'entire domain' method fails, returning the actual public IP.
Don't bother with 'why don't you use X method'… I'm just reporting a bug.
-
Did you try adding "yahoo" as host and "com" as domain?
-
Address 0.0.0.0 might or might not be interpreted as an alias for localhost (see RFC 1122 section 3.2.1.3) depending on application, I wouldn't trust it to work as a non-valid address here. Use a made up private address or point the queries to a name server that you know to deny recursive queries.
-
0.0.0.0 had been working, and appears that part at least still does…
by using a previous suggestion of 'yahoo' as host and 'com' as domain, we can block 'yahoo.com' (using 0.0.0.0) but 'www.yahoo.com' still gets through.
