Blocking sites with DNS

SCL

i tried to add "ciao.de", "www.ciao.de", changed the ip to 127.0.0.1, even to my local ip, nothing helped. changing the machine, to see if its not the winbox, i used the debianmachine, no success.

edit: i just added "ciao.de", then tested "nslookup ciao.de" -> response was the real ip, instead of 127.0.0.1

Lyttek

I wrote about this in a different post and can confirm the bug, doing exactly the same thing.

In previous versions, there were two methods of forwarding: by host, and by entire domain.

To block www.yahoo.com for instance:

first method: enter 'www' in the host field, 'yahoo.com' in the domain field, and '0.0.0.0' for the IP (blocked only www.yahoo.com)
second method: enter 'yahoo.com' in domain, '0.0.0.0' for ip.  (This blocked anything on that domain)

With pfsense 1.2, the second method fails.  Only 'host' type forwarding works, returning '0.0.0.0' as the IP.  Using the 'entire domain' method fails, returning the actual public IP.

Don't bother with 'why don't you use X method'… I'm just reporting a bug.

hoba

Did you try adding "yahoo" as host and "com" as domain?

kpa

Address 0.0.0.0 might or might not be interpreted as an alias for localhost (see RFC 1122 section 3.2.1.3) depending on application, I wouldn't trust it to work as a non-valid address here. Use a made up private address or point the queries to a name server that you know to deny recursive queries.

Lyttek

0.0.0.0 had been working, and appears that part at least still does…

by using a previous suggestion of 'yahoo' as host and 'com' as domain, we can block 'yahoo.com' (using 0.0.0.0) but 'www.yahoo.com' still gets through.

sullrich

I would suggest using 127.0.0.1 instead of 0.0.0.0

kpa

With 127.0.0.1 as the nameserver for yahoo.com you'll get this in system log and no blockage:

Apr 10 20:40:48 dnsmasq[94422]: ignoring nameserver 127.0.0.1 - local interface
Apr 10 20:40:48 dnsmasq[94422]: ignoring nameserver 127.0.0.1 - local interface

With 0.0.0.0 there's not even a mention of it in the system logs, most like the entry is silently ignored.

GruensFroeschli

Just set it to an IP in your local subnet you know has nothing running worth connecting to.
I've set the IP to the webconfig of my managed switch.

hoba

You could also set it to a non existing private IP outside your subnet (10.123.234.1 or whatever) and create a firewallrule at interfaces lan to not send it out to the internet (though your isp gateway will drop it's routing anyway as it won't route private IPs).

Lyttek

I had another post that seems to have disappeared… odd...

Anyway, found that if we use a non-existent address (as others have mentioned) such as 192.168.1.0 (I'm using 192.168.1.x network) then domain-level blocking works.

So, 0.0.0.0 works for host-level blocking only, even though it used to work for both.