Simple domain blocking?



  • With a lot of the home-use routers it's possible to block all traffic to a domain very simply - for example my wireless router at home is a TP-Link 3600 which has a simple "Access Control" function where you can enter a domain, and all traffic to it is blocked, whether it's HTTP, HTTPS, or whatever.
    Is it possible to do a similar thing with pfSense? I've researched it a fair amount and to block both http and https seems to require some comparatively complex setting up of squid, squidguard, wpad and so on.
    I'm just wondering if I'm missing something simple  :)

    (I wasn't sure if this question belonged here or in the cache/proxy section - apologies if I got it wrong.)

    Thanks!



  • DNS overrides, assuming you're using pfSense for DNS and either blocking external DNS or redirecting it to pfSense.



  • @KOM:

    DNS overrides, assuming you're using pfSense for DNS and either blocking external DNS or redirecting it to pfSense.

    Thanks - unfortunately I need to use external DNS :(
    What I'm trying to do is prevent a couple of devices from auto-updating, but they need to access external DNS. I'll have a play with it and see if I can get something working.
    How do the commercial routers do what they do, I wonder? Are they actually doing something complex in the background?



  • Thanks - unfortunately I need to use external DNS

    Can you explain why this is the case?  Normal use cases have pfSense acting as DNS for its clients, and pfSense would either use the Resolver to talk directly to the DNS root servers, or the Forwarder to have pfSense talk to an external DNS such as your ISP's DNS or Google DNS.  The point I'm making is that you generally don't want your clients to be able to use any old DNS if you're using any access controls.

    https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense



  • @KOM:

    Can you explain why this is the case?  Normal use cases have pfSense acting as DNS for its clients, and pfSense would either use the Resolver to talk directly to the DNS root servers, or the Forwarder to have pfSense talk to an external DNS such as your ISP's DNS or Google DNS.  The point I'm making is that you generally don't want your clients to be able to use any old DNS if you're using any access controls.

    I use a dns-based service to avoid geolocking… at the moment the media devices are configured to use the service provider's DNS servers, and the rest of the network use the ISP's DNS. Thanks for the two articles - I suppose I can configure everything to use the service provider's DNS and then use overriders for the domains I want to prevent access to.

    I'm still intrigued as to how the commercial routers do their thing :)

    Thanks, I appreciate your help!