OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: cake on January 25, 2019, 10:06:40 am
-
Edit: This howto is obsolete since the latest plugin has added blocklists to the gui.
I got domain blocking to work with the new DNSCrypt package that has been recently been added to opnsense. Thanks mimugmail (m.muenz@gmail.com).
I may have done something incorrectly and poorly so please suggest a better way if you know one.
After you get dnscrypt up and running, and checked that it is working proceed to the shell.
(If your missing nano or wget just type "pkg install wget" or "pkg install nano")
mkdir /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
cd /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist.conf
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist-local-additions.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-time-restricted.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-whitelist.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
chmod a+x generate-domains-blacklist.py
Now is a good time to edit the .conf file.
nano domains-blacklist.confRemove the hash symbol on the lists you want and comment out the ones you don't want, I added a few of my own at the end of the file, mostly facebook and microsoft domains.
Also edit domains-blacklist-local-additions.txt.
nano domains-blacklist-local-additions.txtI myself did not want to block *.local, *.localdomain or *.workgroup
so comment them out if you want to also.
Now to run the program
/usr/local/bin/python2.7 generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt
Try it twice if it fails fetching a adblock list like it did to me.
If you succeed, go up a directory
cd ..and make another file that will point to your new blocklist
ln -s generate-domains-blacklists/dnscrypt-blacklist-domains.txt dnscrypt-blacklist-domains.txt
Lastly we need to edit the config file for dnscrypt and tell it about out blacklist
nano dnscrypt-proxy.toml
add this to the end -->
[blacklist]
blacklist_file = 'dnscrypt-blacklist-domains.txt'
Go to the router's GUI -->Services -->DnsCrypt-Proxy, and restart the service.
If it comes back up it should now be blocking those domains. If it doesn't, comment out the blacklist_file = 'dnscrypt-blacklist-domains.txt in the .toml file and double check everything.
Hope this works for you. :-)
Edit: Important, the changes to the .toml file do not stick after you save from the GUI, so you need to edit nano /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
add the blacklist section so it looks like this:
[static]
[blacklist]
blacklist_file = 'dnscrypt-blacklist-domains.txt'
{% if helpers.exists('OPNsense.dnscryptproxy.server.servers.server') %}
{% for server_list in helpers.toList('OPNsense.dnscryptproxy.server.servers.server') %}
{% if server_list.enabled == '1' %}
[static.'{{server_list.name}}']
stamp = 'sdns://{{server_list.stamp}}'
{% endif %}
{% endfor %}
{% endif %}
Just below [static] but above the rest at the end.
Edit#2 Here is a tutorial I found to force DNSCrypt on all your clients https://forum.opnsense.org/index.php?topic=9245.0 Just remember to change 127.0.0.1 in the example to 127.0.0.2.