How do I keep a list of all domains and IPs that go through a pfSense gateway?



  • I want to connect my desktop to a machine running pfSense, and have pfSense keep a list all domains or IP addresses that the desktop tries to communicate. Duplicates are not a problem, I can sort them out with uniq.

    I've attempted to make a packet capture from Diagnostics -> Packet Capture, but the results I'm getting on that list are not helping. There are no hosts in there, and I did try to ping google.com

    For now, I'm running this as a test inside VMs (to make sure it works before I go and purchase a refurbished PC to install pfSense in it) but I don't think this changes the essence of things.

    So how do I do that?

    As to why I want to do that, I think it deserves a mention in this topic.

    I want to block the Windows 10 telemetry stuff. And so I plan to connect my desktop to a pfSense gateway (which itself will NOT be connected to the Internet) and operate the Windows 10 machine in offline mode for a week. Then I'll grab the list of domains and IPs that Windows 10 tried to contact, and block those with pfBlockerNG.

    I have already found a list of hosts that people recommend to block. But I would like to go through the process myself.

    And yes, I know that I can install Wireshark on Windows 10 but the little paranoid in me says that since the OS is actively sabotaging the hosts file when trying to block telemetry domains, it could also attempt to pass the telemetry connection under the packet sniffer radar.



  • You could create a manual Allow All rule on LAN with logging enabled.  Logs oulld be large though so you would likely need an external log server to make sure yo got it all.  I"m guessing here as I've never needed to log everything.

    As for MS Telemetry, get a list of IP addresses used for MS telemetry, create an alias, add the IPs to the alias and then block access to the destination alias via LAN rule.



  • The firewall VM has a 1GB disk (that's not a lot but seems plenty for logging). The physical firewall machine will have a 150GB disk. Isn't that enough to keep the logs inside the machine itself? I would rather not set up an external log server. I would like not to mess up with yet one more thing!

    Also, I didn't understand how do I do a "Allow all" rule on LAN. Where do I need to go on the web UI?



  • @swapjim:

    The firewall VM has a 1GB disk (that's not a lot but seems plenty for logging). The physical firewall machine will have a 150GB disk. Isn't that enough to keep the logs inside the machine itself? I would rather not set up an external log server. I would like not to mess up with yet one more thing!

    Also, I didn't understand how do I do a "Allow all" rule on LAN. Where do I need to go on the web UI?

    Firewall, rules, select LAN interface tab, click the + on the right hand side that says add a rule.  make it a pass rule, source/dest any, there should be a checkbox for "log" on the page somewhere.



  • @mer:

    Firewall, rules, select LAN interface tab, click the + on the right hand side that says add a rule.  make it a pass rule, source/dest any, there should be a checkbox for "log" on the page somewhere.

    I managed to do that but all I got was DNS requests from the desktop VM to the pfSense geteway VM on UDP 53.

    Is there a way to get a list of the resolve requests? Some kind of DNS requests logging?

    For example, if I try to ping google.com, facebook.com, and yahoo.com, it would give me a list of the 3 domains I tried to ping. The port and protocol are not important for this task, although I would be curious to look at that too.



  • DNS uses TCP/UDP 53.  Log both.


  • LAYER 8 Global Moderator

    So just want to log your dns requests to what they were resolved too?

    You do understand once a client resolves something lets say www.facebook.com it doesn't have to look that up again until the ttl expires, etc.

    https://doc.pfsense.org/index.php/DNS_Forwarder_Troubleshooting

    You can log dns requests and who made them… Is that what your looking for?



  • @johnpoz:

    You do understand once a client resolves something lets say www.facebook.com it doesn't have to look that up again until the ttl expires, etc.

    Yes, I understand that. But the OS (Windows 10) will never have the chance to cache a DNS request. I will install the OS with the Ethernet cable unplugged and when installation finishes, I'll connect the W10 machine to a pfSense machine that's not otherwise connected to the Internet. And I'll log all DNS requests for a week. Then I'll block all domains that W10 tried to contact.

    @johnpoz:

    You can log dns requests and who made them… Is that what your looking for?

    Yes! That is exactly what I'm looking for. You advice did it. The "raw" log file is [file]/var/log/resolver.log[/file] so I can parse that with grep and get the list I'm looking for.

    Thanks johnpoz, KOM, mer.

    Btw, where is the log file for the Forwarder?



  • You do realise you will just end up blocking Windows Update and Windows Defender, potentially leading to much wider security issues than Microsoft being able to see what apps you use.



  • @Alex:

    You do realise you will just end up blocking Windows Update and Windows Defender, potentially leading to much wider security issues than Microsoft being able to see what apps you use.

    Yes, I do. Although, to be a nitpicker, the telemetry stuff is not a security concern. It's a privacy and control concern. I make the choice to have privacy (and control) in cost of security.

    Microsoft is not transparent and honest about what a patch does. It's not like FreeBSD, pfSense, and Linux distros. There are numerous articles mentioning that Microsoft introduced telemetry in Windows 7 and 8 WITHOUT being clear about. Without giving users the choice.

    If you use Windows, you have two enemies: the malware creators and Microsoft itself. By using Windows I accept that my computer is insecure. I mitigate the issue by using none of the bundled software (I hope that'll manage to have Skype updated, if not I'll just run it in a VM), using an anti-virus solution, relying on the firewall of my modem-router (and pfSense could very well replace that), and being religious about backups.


Log in to reply