Netgate SG-1000 microFirewall

Author Topic: Does DNS Redirection Bypass DNSBL?  (Read 191 times)

0 Members and 1 Guest are viewing this topic.

Offline mifronte

  • Jr. Member
  • **
  • Posts: 95
  • Karma: +1/-0
    • View Profile
Does DNS Redirection Bypass DNSBL?
« on: February 05, 2018, 03:49:42 pm »
If I am redirecting all DNS Requests to pfSense as specified in this How-To,will DNSBL be by passed or will the DNSBL still take effects?
SuperMicro Atom C2758 A1SRI-2758F 16GB
2.4.2-RELEASE (amd64)

Offline RonpfS

  • Hero Member
  • *****
  • Posts: 717
  • Karma: +96/-2
    • View Profile
Re: Does DNS Redirection Bypass DNSBL?
« Reply #1 on: February 05, 2018, 04:55:30 pm »
If you are redirecting DNS Requests to a pfsense with DNSBL enabled, then DNSBL will NOT be bypassed.
2.3.5-RELEASE-p1 (amd64)
Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
pfBlockerNG 2.1.2_2/Dev, suricata 4.0.3_1

Offline mifronte

  • Jr. Member
  • **
  • Posts: 95
  • Karma: +1/-0
    • View Profile
Re: Does DNS Redirection Bypass DNSBL?
« Reply #2 on: February 05, 2018, 06:09:27 pm »
Thanks.  Yes, I am redirecting to pfSense so that all DNS requests goes through DNSBL.
SuperMicro Atom C2758 A1SRI-2758F 16GB
2.4.2-RELEASE (amd64)

Offline Tom7755

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Does DNS Redirection Bypass DNSBL?
« Reply #3 on: February 08, 2018, 08:05:10 am »
Why would someone want to do this?

Offline mifronte

  • Jr. Member
  • **
  • Posts: 95
  • Karma: +1/-0
    • View Profile
Re: Does DNS Redirection Bypass DNSBL?
« Reply #4 on: February 12, 2018, 01:49:36 pm »
I am doing this to ensure that all DNS requests goes through my local DNS resolver and any DNS servers that I have configured to be the upstream DNS.  Some clients can manually set their DNS settings and this will prevent that attempt to by-pass my DNS policy.

For example, for a family with children, the parents may want to use OpenDNS to implement some parental filtering.  A smart teenager may by-pass OpenDNS by specifying the Google DNS on their client.  This redirection will intercept all DNS queries and ensure that OpenDNS is used.

I personally use pfBlocerNG with DNSBL to block access to sites that are on the lists that I have configured.  I discovered that some Google devices have Google's DNS hardcoded into their firmware to reach Google's data collection servers.  This redirection ensure that these devices don't circumvent my blocked lists.  Off course this does nothing if the IP address is hardcoded, but then I hope pfBlockerNG IPv4 and Ipv6 feature will prevent those scenarios.
SuperMicro Atom C2758 A1SRI-2758F 16GB
2.4.2-RELEASE (amd64)