OPNsense Forum
English Forums => General Discussion => Topic started by: minime on November 09, 2016, 02:09:21 pm
-
Hi guys,
I might misunderstand the underlying concepts, so pardon me for the following:
I am currently using Squid in transparent mode to block unwanted webpages and advertisements, which works quite well. However, when it comes to SSL encrypted pages it fails respectively I don't want to issue a certificate and play MITM...for various reasons.
I wonder now, wouldn't it be possible to have in OPNsense an own DNS service, which is referring to whatever DNS service you actually want to use, fi. from your ISP, BUT first running through your blacklist before handing over the request to the actual DNS server?
Many thanks for any comment on this!
-
You may want to consider OpenDNS to filter access in combination with Squid.
https://www.kirkg.us/posts/using-opendns-with-opnsense/
Bart...
-
Hi,
Thanks, I have read this article, but I don't like OpenDNS and would like to use rather a local DNS server (the one from my provider).
-
Hi minime,
You can override external domain entries with 127.0.0.1 or some other tarpit IP from the built-in DNS services.
You just need to make sure that outside DNS cannot be reached from the to be enforced network via a firewall rule (if required) and knowing that if someone gets an IP from web search, they can still browse the blocked domains by circumventing your filter mechanism. It's the same flaw that OpenDNS has.
In this case an IP blocklist also helps, but there's always ways around that.
Cheers,
Franco
-
Thanks Franco, I will try it this weekend. Earlier I was not successful with the firewall rules/aliases, but I give it another go and report back. Many thanks!
-
Of course, but don't thank me just yet. ;)
-
ok, I need your guidance a bit. What I have tried:
1) Setting the DNS server => System/Settings/General/DNS servers
2) Removed DNS server entries in Services/DHCP/Server/DNS servers
3) Enabled DNS Forwarder in Services/DNS Forwarder
4) Added some domains with the "!" or "127.0.0.1" in Services/DNS Forwarder/Domain Overrides
This doesn't work properly...I also tried to search the wiki with the keyword "DNS", however, no result was returned...
I also tried to create an entry in Firewall/Aliases/View => Host and then another sample domain and then blocking it under Firewall/Rules by adding 2 entries (1 for source and 1 for destination) with the alias reference in the "Floating" tab. I also created to be sure an entry in LAN and the other entry in WAN. Doesn't really work.
Is it because I have in parallel Squid in transparent mode running (forwarding non-SSL traffic to it)?
I know I am doing something wrong, but I can't figure out what.
-
So I just put in "facebook.com" and "127.0.0.1" as a domain override in the forwarder, which didn't work. Instead, use a bogus IP like "127.0.0.2" and it works. The forwarder forwards that request to an authoritative server, in this case itself, so it was still working with localhost. Sorry for the confusion.
Browsers may cache results greedily, confirmation should be made with care.
Cheers,
Franco
-
Thanks Franco, that works.
Is there a way to bulk-load URLs into Services/DNS Forwarder/Domain Overrides?
-
Not that I know of. The best approach is do add them to the config.xml directly. Export the config from the GUI, expand the alias section with a text editor, then import it back into the firewall (DNS forwarder only).
Someone wanted to work on making import features like this for DNS and/or DHCP, but it never came to be.
Cheers,
Franco
-
Just to mention: There are some biiiig host file lists around with all kind of blocked categories, including flickr, facebook, twitter and such. Some of those might have several DNS entries and you need to block them all.
One of them: https://github.com/StevenBlack/hosts/blob/master/hosts
Do not use them as they are, just take the parts you want/need.