Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple domain blocking?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      joe_b
      last edited by

      With a lot of the home-use routers it's possible to block all traffic to a domain very simply - for example my wireless router at home is a TP-Link 3600 which has a simple "Access Control" function where you can enter a domain, and all traffic to it is blocked, whether it's HTTP, HTTPS, or whatever.
      Is it possible to do a similar thing with pfSense? I've researched it a fair amount and to block both http and https seems to require some comparatively complex setting up of squid, squidguard, wpad and so on.
      I'm just wondering if I'm missing something simple  :)

      (I wasn't sure if this question belonged here or in the cache/proxy section - apologies if I got it wrong.)

      Thanks!

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        DNS overrides, assuming you're using pfSense for DNS and either blocking external DNS or redirecting it to pfSense.

        1 Reply Last reply Reply Quote 0
        • J Offline
          joe_b
          last edited by

          @KOM:

          DNS overrides, assuming you're using pfSense for DNS and either blocking external DNS or redirecting it to pfSense.

          Thanks - unfortunately I need to use external DNS :(
          What I'm trying to do is prevent a couple of devices from auto-updating, but they need to access external DNS. I'll have a play with it and see if I can get something working.
          How do the commercial routers do what they do, I wonder? Are they actually doing something complex in the background?

          1 Reply Last reply Reply Quote 0
          • KOMK Offline
            KOM
            last edited by

            Thanks - unfortunately I need to use external DNS

            Can you explain why this is the case?  Normal use cases have pfSense acting as DNS for its clients, and pfSense would either use the Resolver to talk directly to the DNS root servers, or the Forwarder to have pfSense talk to an external DNS such as your ISP's DNS or Google DNS.  The point I'm making is that you generally don't want your clients to be able to use any old DNS if you're using any access controls.

            https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

            https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

            1 Reply Last reply Reply Quote 0
            • J Offline
              joe_b
              last edited by

              @KOM:

              Can you explain why this is the case?  Normal use cases have pfSense acting as DNS for its clients, and pfSense would either use the Resolver to talk directly to the DNS root servers, or the Forwarder to have pfSense talk to an external DNS such as your ISP's DNS or Google DNS.  The point I'm making is that you generally don't want your clients to be able to use any old DNS if you're using any access controls.

              I use a dns-based service to avoid geolocking… at the moment the media devices are configured to use the service provider's DNS servers, and the rest of the network use the ISP's DNS. Thanks for the two articles - I suppose I can configure everything to use the service provider's DNS and then use overriders for the domains I want to prevent access to.

              I'm still intrigued as to how the commercial routers do their thing :)

              Thanks, I appreciate your help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.