Force safe search with host overrides



  • I'm running 2.2.6 using Dansguardian for filtering on a home network
    I'd like to force google safesearch and based on what I read, I simply need to resolve all DNS queries for google.com to forcesafesearch.google.com.  Instructions say to use a CNAME, but since pfsense doesn't support CNAMES, I can simply use host overrides to force google.com to resolve to 216.239.38.120
    I first tried this using the Unbound resolver and it didn't seem to work, so I turned off resolver and turned on Forwarder and tried it there.  Still no success as far as I can tell.
    The way I test this, is I open a command prompt on a client windows machine and type "nslookup google.com" and it returns an ip address and also tells me what DNS server its using.  The server its using is my pfsense box, but the ip address I get is not the one Ive put in the host override list.
    I'd appreciate any help.  There must be something simple I don't understand.
    Is this the best way to do this?  Is my test valid?




  • Can anyone please tell me why host overrides doesn't seem to be working?

    Thanks


  • LAYER 8 Global Moderator

    So if your creating host override in forwarder, then you need to be using forwarder.  If your using resolver then you need to be using the resolver.

    You do understand that if using a proxy your browser doesn't actual do the dns, the proxy does.  So what is pfsense using for dns - are you pointing to itself?

    So your saying when you query www.google.com direct to pfsense it doesn't resolve to that IP?

    So I put www.google.com overrride to 1.2.3.4, as you see when I query it - that is what is returned.  See attached.

    Keep in mind that browser and your machine are going to cache dns for ttl as well, so if they have already looked up www.google.com, you need to flush their local cache or restart your browser if your going to point it somewhere else.

    Also unbound does do cnames.. Problem is its not authoritative zone, so its not going to expand that query - you would actually have to query for the cname.  If you want to use a cname that expands and resolves when you do A query for that name then you need to run an authoritative server like bind and create s stub zone for the domain.

    When your client is using actual dns, and you put in the IP for forcesafesearch in an override.. It works - see 3rd attachment








  • Thanks for the great explanation and help.  First thing I did was download dig and use that.  It showed me that it really wasn't using my local box for dns.  I figured out why and fixed it and now all works well.  I still don't have good understanding of what it means to have an authoritative vs non-authoritative zone, BIND and stub domain.  I need to find a good place to read up on all of that.  Any suggestions?
    I also implemented what I found here https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense to redirect all dns queries to my local box.  Initially it did not work, but after I change 127.0.0.1 to the actual ip of my pfsense box, it works.  Anyone have an explanation for that?  I'm still not completely clear on the path taken by a packet and what order it encounters the NAT, firewall rules etc, and where this 127.0.0.1 fits into that.

    Thanks again for taking the time to help.


  • LAYER 8 Global Moderator

    I am not a fan of redirecting traffic - I would block access to outside dns, and if they want a working dns they have to use yours.  This is much better IMHO than redirecting traffic that the user might no know is redirected.

    Authoritative is the name server that actually holds and owns the records for a domain.  Pretty much every other server just asks another recursive server if a forwarder, or if a resolver will end up asking the authoritative server.

    Unless you install the bind package on pfsense, the 2 included with pfsense dnsmasq and unbound are really just recursive caching name servers.  Dnsmasq is just a forwarder, while unbound can be a forwarder or it is better at being a true resolver.

    Ie it walks down the tree from the roots servers until it finds the owning authoritative nameservers for whatever domain your wanting to look something up in.. ie pfsense.org or google.com..

    here are the authoritative servers for pfsense.org

    ;; QUESTION SECTION:
    ;pfsense.org.                  IN      NS

    ;; ANSWER SECTION:
    pfsense.org.            300    IN      NS      ns2.pfmechanics.com.
    pfsense.org.            300    IN      NS      ns1.pfmechanics.com.
    pfsense.org.            300    IN      NS      ns3.pfmechanics.com


Log in to reply