Force safe search with host overrides

  • I'm running 2.2.6 using Dansguardian for filtering on a home network
    I'd like to force google safesearch and based on what I read, I simply need to resolve all DNS queries for to  Instructions say to use a CNAME, but since pfsense doesn't support CNAMES, I can simply use host overrides to force to resolve to
    I first tried this using the Unbound resolver and it didn't seem to work, so I turned off resolver and turned on Forwarder and tried it there.  Still no success as far as I can tell.
    The way I test this, is I open a command prompt on a client windows machine and type "nslookup" and it returns an ip address and also tells me what DNS server its using.  The server its using is my pfsense box, but the ip address I get is not the one Ive put in the host override list.
    I'd appreciate any help.  There must be something simple I don't understand.
    Is this the best way to do this?  Is my test valid?

  • Can anyone please tell me why host overrides doesn't seem to be working?


  • LAYER 8 Global Moderator

    So if your creating host override in forwarder, then you need to be using forwarder.  If your using resolver then you need to be using the resolver.

    You do understand that if using a proxy your browser doesn't actual do the dns, the proxy does.  So what is pfsense using for dns - are you pointing to itself?

    So your saying when you query direct to pfsense it doesn't resolve to that IP?

    So I put overrride to, as you see when I query it - that is what is returned.  See attached.

    Keep in mind that browser and your machine are going to cache dns for ttl as well, so if they have already looked up, you need to flush their local cache or restart your browser if your going to point it somewhere else.

    Also unbound does do cnames.. Problem is its not authoritative zone, so its not going to expand that query - you would actually have to query for the cname.  If you want to use a cname that expands and resolves when you do A query for that name then you need to run an authoritative server like bind and create s stub zone for the domain.

    When your client is using actual dns, and you put in the IP for forcesafesearch in an override.. It works - see 3rd attachment

  • Thanks for the great explanation and help.  First thing I did was download dig and use that.  It showed me that it really wasn't using my local box for dns.  I figured out why and fixed it and now all works well.  I still don't have good understanding of what it means to have an authoritative vs non-authoritative zone, BIND and stub domain.  I need to find a good place to read up on all of that.  Any suggestions?
    I also implemented what I found here to redirect all dns queries to my local box.  Initially it did not work, but after I change to the actual ip of my pfsense box, it works.  Anyone have an explanation for that?  I'm still not completely clear on the path taken by a packet and what order it encounters the NAT, firewall rules etc, and where this fits into that.

    Thanks again for taking the time to help.

  • LAYER 8 Global Moderator

    I am not a fan of redirecting traffic - I would block access to outside dns, and if they want a working dns they have to use yours.  This is much better IMHO than redirecting traffic that the user might no know is redirected.

    Authoritative is the name server that actually holds and owns the records for a domain.  Pretty much every other server just asks another recursive server if a forwarder, or if a resolver will end up asking the authoritative server.

    Unless you install the bind package on pfsense, the 2 included with pfsense dnsmasq and unbound are really just recursive caching name servers.  Dnsmasq is just a forwarder, while unbound can be a forwarder or it is better at being a true resolver.

    Ie it walks down the tree from the roots servers until it finds the owning authoritative nameservers for whatever domain your wanting to look something up in.. ie or

    here are the authoritative servers for

    ;                  IN      NS

    ;; ANSWER SECTION:            300    IN      NS            300    IN      NS            300    IN      NS

Log in to reply