pfSense English Support > Packages

BlackholeDNS: Anyone tried it with pfsense?

(1/2) > >>

kevross33:
Hey I am wondering if anyone has done a blackhole DNS setup for malware domains such as from www.malwaredomains.com so any DNS requests for them just go to 127.0.0.1 (loopback) so machines don't connect?

There was an addon for smoothwall which did this http://community.smoothwall.org/forum/viewtopic.php?f=26&t=26030 and it was very useful and is actually the only thing I miss from smoothwall now I am on pfsense. I am just wondering if anyone ever tried an addon or just did it manually using scripts?

ipv6kid:
Would be nice to have an unbound add in to do this.

wagonza:

--- Quote from: ipv6kid on November 22, 2011, 12:03:40 pm ---Would be nice to have an unbound add in to do this.

--- End quote ---

it would be wouldnt it :) watch this space for 2.1.

kevross33:

--- Quote from: wagonza on November 23, 2011, 12:01:49 pm ---
--- Quote from: ipv6kid on November 22, 2011, 12:03:40 pm ---Would be nice to have an unbound add in to do this.

--- End quote ---

it would be wouldnt it :) watch this space for 2.1.

--- End quote ---

Awesome. This paper from the SANs institute may interest you http://www.sans.org/reading_room/whitepapers/dns/dns-sinkhole_33523

Ideally it would just resolve malware domains from various sources (malware domains, zeus blocklist and whatever else with the option to choose lists) to 127.0.0.1. I would like to see logging about contacted domains or something if it was doable as that was something that the smoothwall addon didn't have which would have proved useful (though the setup stops a lot of driveby downloads, exploit kit sites etc anyway).

Thanks.

Kamel:
A better/preferred solution (IMHO) would be to redirect to an internal page hosted on pfsense explaining why it was rejected just like squidguard. The issue with redirecting to 127.0.0.1 or not responding is they trick your PC into thinking it's going to get something if it goes there, so it will take a long time and then ultimately 'not respond'. This can also sometimes look like something is broken, so if you have a larger network you may get lots of "why isn't this website working" -- as opposed to the user seeing and immediately understanding the reason it was blocked was due to alleged spyware and/or malware and it will remove all question. This will also aid in the troubleshooting process, as you would know immediately the reason this or that page is not functioning.

Just my 2 cents, I highly support the idea though. I wonder if there are "lists" one could subscribe to like with pfblocker. BTW, sites simply being blocked with no explanation why (and system resource hogging) is why I don't use pfblocker.

Navigation

[0] Message Index

[#] Next page

Go to full version