Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Black Hole

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dryden
      last edited by

      Hi guys.
      First of all let me congratulate all of the developers and supporters of this wonderful piece of software.

      So my issue is the flowing. I'm trying to configure a captive portal to use as a wireless hotspot in a bar, but I cant get all the pages to redirect to the login portal, after a little digging I found out that it was due to https so i thought that only ting that could solve it was creating a black hole that redirects all the dns requests and sucks in all the non authenticated users and I actually found a guide here: https://doc.pfsense.org/index.php/Creating_a_DNS_Black_Hole_for_Captive_Portal_Clients
      the problem is that the guide doesn't work at all…
      I've tried following the steps, but it keeps pinging the correct sites all the time...

      • The installation: i've tried installing bind from the shell and from the web packages - same result
      • The configuration: the guide says that you have to create a named.conf file in /etc/namedb/ but when you in install bind package the original named.conf is at  /cf/named/etc/namedb/ ; having said that I've tried to put the config in both locations - same result
      • The guide has 2 boxes regarding the named.conf, I'confused if I should delete the original and put that in ad if so should i put the 1st box, the second or both... once again I've tried it all with the same result
      • The db.catchall should be configured with the address of the "web server" but what web server are you referring? is it the internal address of pfsense (the internal that shows the captive portal), the external address (that's connected to the router) or the router itself?
        -After installing the Bind service you get a new entrance in the web administration tool in Services->Bind Server, should I enable it or not? If I type "named -u bind" in the console is it not the same thing? and if so why isn't the box checked next no "enable bind" in the web interface?
        And why don't I get this bind server menu when i install it from the console?

      Sorry for my many questions, but as I said I'm new to this. Thx in advance

      1 Reply Last reply Reply Quote 0
      • S Offline
        Supermule Banned
        last edited by

        Reset states and try again.

        1 Reply Last reply Reply Quote 0
        • D Offline
          dryden
          last edited by

          @Supermule:

          Reset states and try again.

          gonna try it.

          1 Reply Last reply Reply Quote 0
          • D Offline
            dryden
            last edited by

            @dryden:

            @Supermule:

            Reset states and try again.

            gonna try it.

            no dice. same result

            1 Reply Last reply Reply Quote 0
            • D Offline
              doktornotor Banned
              last edited by

              @dryden:

              -After installing the Bind service you get a new entrance in the web administration tool in Services->Bind Server, should I enable it or not?

              Eh?! When bind is not running, it won't work… I'd suggest to nuke whatever you have done there, remove bind added by pkg, install the bind package from System - Packages. Whatever you do, certainly do NOT install bind twice. Horrible idea.

              1 Reply Last reply Reply Quote 0
              • D Offline
                dryden
                last edited by

                @doktornotor:

                @dryden:

                -After installing the Bind service you get a new entrance in the web administration tool in Services->Bind Server, should I enable it or not?

                Eh?! When bind is not running, it won't work… I'd suggest to nuke whatever you have done there, remove bind added by pkg, install the bind package from System - Packages. Whatever you do, certainly do NOT install bind twice. Horrible idea.

                I'm trying it all man… this system is all new to me...
                Would you advise me to install bind from the packages in the web interface or from the console?

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dryden
                  last edited by

                  If someone can help me that would be great as I'm sure that there have been nay users with the same issue.
                  I'll put in here as much info as I can in the hope that someone could perhaps clarify this.

                  my pfsense vm has 2 interfaces. lan (192.168.200.1) and wan (192.168.11.30), the router that connects to it has the ip 192.168.11.1

                  so if i understoo the guide correctly, I shoul ut a file named db.catchall in the folder /cf/named/etc/namedb/ with the folowing contents:

                  $TTL    604800
                  @       IN      SOA     . root.localhost. (
                                                1         ; Serial
                                           604800         ; Refresh
                                            86400         ; Retry
                                          2419200         ; Expire
                                           604800 )       ; Negative Cache TTL
                  
                  	IN	NS	.
                  .	IN	A	192.168.200.1
                  *.	IN	A	192.168.200.1
                  

                  and a file named named.conf in the same folder with the folowing contents:

                  key "rndc-key" {
                   	algorithm hmac-md5;
                   	secret "blablabla";
                   };
                  
                   controls {
                   	inet 127.0.0.1 port 953
                   		allow { 127.0.0.1; } keys { "rndc-key"; };
                   };
                  
                  options {
                  	directory	"/etc/namedb";
                  	pid-file	"/var/run/named/pid";
                  	allow-query	{ any; };
                  	allow-recursion	{ any; };
                  };
                  
                  zone "." {
                  	type master;
                  	file "/etc/namedb/db.catchall";
                  };
                  
                  logging { category default { null; }; };
                  

                  this of course with bind started. after that i'll reset states and in the console i try to startt bind service again: named -u bind
                  and then test any host

                  but the result i get is this:

                  host www.google.com 127.0.0.1
                  Using domain server:
                  Name: 127.0.0.1
                  Address: 127.0.0.1#53
                  Aliases: 
                  
                  www.google.com has address 216.58.211.100
                  

                  wtf am i doing wrong?!
                  I'm about ready to give up and try another system…

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    dryden
                    last edited by

                    so… an update. I found out that when I restart pfsense my custom named.conf file is replaced by the original...

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      doktornotor Banned
                      last edited by

                      Yeah, because when you install bind via pkg, and then install it via GUI, you have two instanced killing each other and none of them working properly.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dryden
                        last edited by

                        @doktornotor:

                        Yeah, because when you install bind via pkg, and then install it via GUI, you have two instanced killing each other and none of them working properly.

                        I haven't got 2 instances. only one… I installed via web gui.

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          doktornotor Banned
                          last edited by

                          When you installed via the GUI, you ONLY can manage the thing via the GUI. Anything else will be lost. The article is NOT usable "as is" for the GUI package.

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            dryden
                            last edited by

                            @doktornotor:

                            When you installed via the GUI, you ONLY can manage the thing via the GUI. Anything else will be lost. The article is NOT usable "as is" for the GUI package.

                            mate I know you're trying to help me out, and I'm thankful, but that's no good.
                            With a new system I've installed bind from the terminal, of course I couldn't use "pkg_add -r ftp:… etc" but I used
                            "pkg" to install it, then "pkg update" and finally "pkg install bind99", after that i created the folder tree "/etc/namedb/" and put the configuration files in it, started bind "named -u bind" and.......

                            nothing... still resolves the dns as if i did nothing at all...

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              doktornotor Banned
                              last edited by

                              You just told me that you installed via the GUI!!! Argh.

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                dryden
                                last edited by

                                @doktornotor:

                                You just told me that you installed via the GUI!!! Argh.

                                I've done it every way… I've cloned the VM so I can start over every time.
                                I've tried a sytem with bind installation via gui, other via terminal. other with the terminal 1st and then gui, other with gui and then terminal... you name it and i've tried it...

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  doktornotor Banned
                                  last edited by

                                  Dude. Pick ONE way. Debug it. Post your problems and findings (like, is bind running, can you query it, what do the queries return, logs.)

                                  This chaos leads nowhere.

                                  1 Reply Last reply Reply Quote 0
                                  • D Offline
                                    dryden
                                    last edited by

                                    @doktornotor:

                                    Dude. Pick ONE way. Debug it. Post your problems and findings (like, is bind running, can you query it, what do the queries return, logs.)

                                    This chaos leads nowhere.

                                    well. when i install it form the console i think it is not working. i get no response when i start it "name -u bind" but i guess that's normal, but if I try to kill it "killall -9 bind" i get "no matching processes were found" so… maybe it's not running?!

                                    Once again this is all new to me so forgive me if this are all newb questions...

                                    1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      doktornotor Banned
                                      last edited by

                                      1/ Output of

                                      
                                      ps ax | egrep "unbound|dnsmasq|named"
                                      
                                      

                                      2/ Output of

                                      
                                      netstat -an | grep .53
                                      
                                      
                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        dryden
                                        last edited by

                                        @doktornotor:

                                        1/ Output of

                                        
                                        ps ax | egrep "unbound|dnsmasq|named"
                                        
                                        

                                        2/ Output of

                                        
                                        netstat -an | grep .53
                                        
                                        
                                        $ ps ax | egrep "unbound|dnsmasq|named"
                                        25106  -  Is     0:00.14 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
                                        26609  -  S      0:00.00 sh -c ps ax | egrep "unbound|dnsmasq|named" 2>&1
                                        26881  -  R      0:00.00 egrep unbound|dnsmasq|named
                                        51024  -  Is     0:00.04 named -u bind
                                        51372  -  Is     0:00.04 named -u bind
                                        71067  -  Is     0:00.04 named -u bind
                                        
                                        
                                        $ netstat -an | grep .53
                                        tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
                                        tcp4       0      0 127.0.0.1.953          *.*                    LISTEN
                                        tcp6       0      0 *.53                   *.*                    LISTEN
                                        tcp4       0      0 *.53                   *.*                    LISTEN
                                        udp4       0      0 127.0.0.1.53           *.*                    
                                        udp6       0      0 *.53                   *.*                    
                                        udp4       0      0 *.53                   *.*                    
                                        c4830560 stream      0      0 c53526a8        0        0        0 /tmp/php-fastcgi-hotspot_portal.socket-2
                                        c48306b8 stream      0      0 c53527c4        0        0        0 /tmp/php-fastcgi-hotspot_portal.socket-1
                                        c4830810 stream      0      0 c53376a8        0        0        0 /tmp/php-fastcgi-hotspot_portal.socket-0
                                        c4831204 dgram       0      0 c539f000        0 c4830e1c        0 /var/dhcpd/var/run/log
                                        c4831408 dgram       0      0 c539f238        0 c4831000        0 /var/run/logpriv
                                        c483135c dgram       0      0 c539f354        0        0        0 /var/run/log
                                        

                                        I can't make sense of any of it…

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          doktornotor Banned
                                          last edited by

                                          You need to disable the DNS Resolver. Otherwise it will never work.

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            dryden
                                            last edited by

                                            @doktornotor:

                                            You need to disable the DNS Resolver. Otherwise it will never work.

                                            I've tried that, but when i do it, not only the dns still resolves to the correct sites, but I loose access to the web gui.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.