How to Configure a DNS Blacklist Using pfSense

Update (5/4/11)

If you have updated to pfSense 2.0 you may notice that DNS Blacklist is currently unavailable.  As an alternative you can set up SquidGuard which offers the same functionality and is much more versatile.

If your looking for an easy way to block domains on your network based on many common categories DNS blacklist can do the job easily.  DNS blacklist is a package for the popular pfSense platform.

If your not familiar with pfSense check out Introduction to pfSense.

DNS blacklist includes about 40 different categories and allows you to block some, or all of the categories.  The categories I find most useful to block are malware, and phishing.  Other notable categories are adult, warez, games, and more.  The complete listing can be found here.

If you want to see specifically what sites are on the blacklist you can download the archive from the Blacklist website and search through the text files.

Installation

To install the package open up the pfSense package manager found under System\Packages in the web interface.  Then locate ‘DNS Blacklist’ in the list of packages and click the + symbol next to the package to begin the installation.

Configuration

After the installation is complete you will have a new menu item under services called DNS blacklist.  Clicking on it will pull up the configuration screen.  All that you have to do here is check the box ‘Enable DNS Blacklist’ and then select the categories that you want to be blocked.

In order for this package to be able to work you must have the DNS forwarder in pfSense enabled.  The DNS forwarder is found under the Services Menu in pfSense.  Check the box labeled ‘Enable DNS forwarder’.

When the DNS forwarder is enabled all DNS requests sent to pfSense will be forwarded to the DNS servers listed under the System: General Setup menu.  Personally I like to use OpenDNS but you could also use google public DNS or the DNS servers provided by your ISP.  Once you enable the forwarder pfsense will set the LAN IP address as the DNS server for DHCP clients on your network.  Clients will send DNS queries to pfsense which will forward the requests to the DNS servers you entered.  If you didn’t enter any DNS servers it will use the addresses provided by your ISP.  To test if the forwarder is working make sure your computer is pointing to pfSense for DNS (ipconfig /all) and try to browse some web pages.  You may need to release/renew your IP address for the changes to apply to your computer.

If you have clients on the network using static IP addresses you will need to manually configure them to point to the pfSense router for DNS.

Updating DNS Blacklist

This step isn’t necessary but I highly recommend updating the blacklist for the best protection.  According to the author he adds between 50 and 300 new urls to the blacklist every day.

  1. Download the latest blacklist archive file , look for the link blacklists.tar.gz
  2. Copy the archive to your pfSense box using WinSCP or the pfSense File Manager package
  3. Log in to pfSense using SSH and extract the archive (tar zxvf blacklists.tar.gz -C /usr/local/www/packages/dnsblacklist/)
  4. Go back to the DNS Blacklist menu in pfsense and save your settings again, this will apply the updates.

Preventing users from bypassing the blacklist

If the users on your network are tech savvy they may figure out that they can bypass the blacklist you have setup by changing the DNS servers on their computer.  The way to prevent this is to create a firewall rule in pfSense to block any DNS traffic (UDP port 53) not destined for your router.  This forces them to go through the DNS server with the blacklist.

DNS blacklist has categories built in to block web proxy sites so be sure to enable those as well.

Customization

You can add or remove domains from the blacklists by editing the lists found in /usr/local/www/packages/dnsblacklist/blacklists.  When you enable DNS blacklist it populates the file /usr/local/etc/dnsmasq.blacklist.conf with the sites to block based on the categories you have selected.  By default when a user visits a site on the blacklist they are redirected to google.  Below you can see what the format of the configuration file looks like.  The IP address following the slash is the site the user will be redirected to (google.com).

address=/twitter.com/74.125.45.100
address=/typepad.com/74.125.45.100

The authors of DNS Blacklist are working on a new version with an updated GUI that will add the ability to easily blacklist or whitelist individual domains.  The best way to check up on the status of the new version is to visit the pfSense forums.

Logging in to pfSense via SSH

Here are the steps to log in to your pfSsense router using SSH.

1.  Enable SSH on the System \ Advanced menu

 

 

 

 

 

 

 

2.  Download an SSH client such as Putty.  Type the IP address of your pfSense router into the host name box and click open.

 

 

 

 

 

 

 

 

 

 

 

3. Log in using root for the user name, the password will be the same one you use to log into the web interface.  Select option #8 (shell) from the console menu

 

 

 

 

 

 

 

 

 

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

14 thoughts on “How to Configure a DNS Blacklist Using pfSense

      1. helo sam

        have u created this “little bash script” to integrate a category from SHALLALIST to a dnsmasq compatile file?
        can you share it?
        thanks
        jb

    1. Some of them are the .com, and .net versions of the same domain. Also I’d bet there are a lot that don’t exist anymore. I kind of doubt someone goes through and tests each domain but that would be an interesting job 🙂

  1. dns black list works with https blocking ? i want to block facebook twitter and youtube https traffic is it possible to block using dns black list ?

  2. Thank for all your contributions
    I have just taken over a network where Pf sense is been used, how can i view the website blocked as am asked to Unblock the we site. thank you

  3. Hello, I have checked on my package list in pfsense. I do not have DNS blacklist. it is not appearing, I need help. Am using pfsense Community Edition.

Leave a Reply

Your email address will not be published. Required fields are marked *