Pfsense

Filter DNS traffic after blocking websites with Squid

Leave a comment

Let’s assume that you have installed and configured Squid Proxy to block several categories of websites that you don’t want your users or clients to visit ..

In some places maybe interference on client machines or applying group policy on AD is not strict thing and might give the option to users to pass through proxy rules .. so I have considered the same thought and said after I have configured squid proxy to block certain websites (Porn, chat, social…etc) using the Wpad autodiscover method.. I said in case I change the DNS the user will pass through the proxy and find away to connect to those blocked websites.

Then I thought what if I can block external DNS queries and let all the DNS queries pass through the Pfsense or my internal DNS..

To do so I have configured my PFsense’s WAN DNS IP to Google (System>General Setup>

I have added my Local DNS to the DNS resolver (Pfsense Version 2.2)

Next I will go to the Rules and go to my LAN (DMZ in my case) and create 3 rules in total as following:

The rules in the figure below will allow any DNS query request from any source through only (Local Address of the Pfsense) and the second rule will allow DNS requests from the local DNS Server to any DNS server.

Third rule will blcok any DNS request from anywhere else.

Which in result will allow all clients to forcefully use the local DNS to resolve names and resolve IPs, but still even if the user changed his Local LAN/Wifi DNS IP to Google still he’ll be able to connect to the allowed websites from SQUID but he/she won’t be able to resolve FQDNs through (Nslookup command) for example.

I’m attaching screenshots to demonstrate how this is working flawlessly.

As you can see below I have opened google, Flickr, Facebook, gmail, searched for local time and it all worked according to the Squid rules and while still using (8.8.8.8)

Now I will change the DNS back to the local DNS IP and see if i can resolve internet addresses without an issue and connect as well, which worked fine too.

This is a simple article but I’m sure it could be very useful for those companies who want to block wide range of categories and force it on to their employees. or for families who want to avoid their kids from doing naughty stuff or watch violent websites.

Leave a Reply

Your email address will not be published. Required fields are marked *