Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] DNS filtering instead of using Squid
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] DNS filtering instead of using Squid (Read 11073 times)
minime
Newbie
Posts: 32
Karma: 6
[SOLVED] DNS filtering instead of using Squid
«
on:
November 09, 2016, 02:09:21 pm »
Hi guys,
I might misunderstand the underlying concepts, so pardon me for the following:
I am currently using Squid in transparent mode to block unwanted webpages and advertisements, which works quite well. However, when it comes to SSL encrypted pages it fails respectively I don't want to issue a certificate and play MITM...for various reasons.
I wonder now, wouldn't it be possible to have in OPNsense an own DNS service, which is referring to whatever DNS service you actually want to use, fi. from your ISP, BUT first running through your blacklist before handing over the request to the actual DNS server?
Many thanks for any comment on this!
«
Last Edit: November 12, 2016, 11:19:57 am by minime
»
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: DNS filtering instead of using Squid
«
Reply #1 on:
November 09, 2016, 03:04:04 pm »
You may want to consider OpenDNS to filter access in combination with Squid.
https://www.kirkg.us/posts/using-opendns-with-opnsense/
Bart...
Logged
minime
Newbie
Posts: 32
Karma: 6
Re: DNS filtering instead of using Squid
«
Reply #2 on:
November 09, 2016, 03:06:11 pm »
Hi,
Thanks, I have read this article, but I don't like OpenDNS and would like to use rather a local DNS server (the one from my provider).
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: DNS filtering instead of using Squid
«
Reply #3 on:
November 09, 2016, 05:38:26 pm »
Hi minime,
You can override external domain entries with 127.0.0.1 or some other tarpit IP from the built-in DNS services.
You just need to make sure that outside DNS cannot be reached from the to be enforced network via a firewall rule (if required) and knowing that if someone gets an IP from web search, they can still browse the blocked domains by circumventing your filter mechanism. It's the same flaw that OpenDNS has.
In this case an IP blocklist also helps, but there's always ways around that.
Cheers,
Franco
Logged
minime
Newbie
Posts: 32
Karma: 6
Re: DNS filtering instead of using Squid
«
Reply #4 on:
November 09, 2016, 08:18:48 pm »
Thanks Franco, I will try it this weekend. Earlier I was not successful with the firewall rules/aliases, but I give it another go and report back. Many thanks!
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: DNS filtering instead of using Squid
«
Reply #5 on:
November 10, 2016, 10:06:36 am »
Of course, but don't thank me just yet.
Logged
minime
Newbie
Posts: 32
Karma: 6
Re: DNS filtering instead of using Squid
«
Reply #6 on:
November 11, 2016, 07:53:34 pm »
ok, I need your guidance a bit. What I have tried:
1) Setting the DNS server => System/Settings/General/DNS servers
2) Removed DNS server entries in Services/DHCP/Server/DNS servers
3) Enabled DNS Forwarder in Services/DNS Forwarder
4) Added some domains with the "!" or "127.0.0.1" in Services/DNS Forwarder/Domain Overrides
This doesn't work properly...I also tried to search the wiki with the keyword "DNS", however, no result was returned...
I also tried to create an entry in Firewall/Aliases/View => Host and then another sample domain and then blocking it under Firewall/Rules by adding 2 entries (1 for source and 1 for destination) with the alias reference in the "Floating" tab. I also created to be sure an entry in LAN and the other entry in WAN. Doesn't really work.
Is it because I have in parallel Squid in transparent mode running (forwarding non-SSL traffic to it)?
I know I am doing something wrong, but I can't figure out what.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: DNS filtering instead of using Squid
«
Reply #7 on:
November 12, 2016, 09:16:13 am »
So I just put in "facebook.com" and "127.0.0.1" as a domain override in the forwarder, which didn't work. Instead, use a bogus IP like "127.0.0.2" and it works. The forwarder forwards that request to an authoritative server, in this case itself, so it was still working with localhost. Sorry for the confusion.
Browsers may cache results greedily, confirmation should be made with care.
Cheers,
Franco
Logged
minime
Newbie
Posts: 32
Karma: 6
[SOLVED] Re: DNS filtering instead of using Squid
«
Reply #8 on:
November 12, 2016, 11:19:46 am »
Thanks Franco, that works.
Is there a way to bulk-load URLs into Services/DNS Forwarder/Domain Overrides?
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: [SOLVED] DNS filtering instead of using Squid
«
Reply #9 on:
November 12, 2016, 02:45:06 pm »
Not that I know of. The best approach is do add them to the config.xml directly. Export the config from the GUI, expand the alias section with a text editor, then import it back into the firewall (DNS forwarder only).
Someone wanted to work on making import features like this for DNS and/or DHCP, but it never came to be.
Cheers,
Franco
Logged
Zeitkind
Full Member
Posts: 180
Karma: 27
Re: [SOLVED] DNS filtering instead of using Squid
«
Reply #10 on:
November 12, 2016, 05:14:46 pm »
Just to mention: There are some biiiig host file lists around with all kind of blocked categories, including flickr, facebook, twitter and such. Some of those might have several DNS entries and you need to block them all.
One of them:
https://github.com/StevenBlack/hosts/blob/master/hosts
Do not use them as they are, just take the parts you want/need.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] DNS filtering instead of using Squid