This document is not written by me. I just only want to note and
share who want to learn. (ejnetwork)
Author is denoted under below!
Blocking Domains with PFSense using Bind
Last Updated: 11/13/2013
By: Phillip Tarrant
The purpose of this paper is to show how to use Bind and PFSense to create a DNS blackhole.
This will allow the administrator to block any domain from users. This is very useful if one
wishes to block HTTP and HTTPS traffic to a domain. Squidguard is great for blocking HTTP,
however, since HTTPS traffic is encrypted Squid cannot block or filter this traffic. A DNS
blackhole is the most accepted way known to blocking the domain from any traffic (this includes
Requirements: You will need the following
PFSense box running PFSense 2.0+
Know how to install packages on PFSense and have access to do such.
Some general Internet/DNS Knowledge. (Not required, but helpful)
Active Directory Note:
If you need to use another DNS Server (such as a Windows Server running Active Directory).
Simply have the Windows Server use PFSense as the only forward in it’s DNS Configuration.
This will allow the Windows clients in the domain still be able to see domain resources and the
AD Controller, but still be filtered. Bind in this configuration will still seek and resolve any internet
domains not expressly configured in it’s zone settings. DNS calls will be cached on Bind and
resolve faster for you. It’s a Win/Win.
Note: No firewall rules are needed for this configuration. The clients need to use PFSense
Internal IP (LAN, OPT1 etc) as their DNS Server. Preferably the only DNS Server in their config.
After changing your clients config, you may need to flush any DNS cache on the client.
Rebooting is the easiest way to do this.
Step 1. Install the Bind package
● Log into PFSense and go to the SYSTEM tab. Under that tab you will select Packages.
● Click on the Available Packages Tab.
● You are looking for the bind package.
● Below is a screenshot of how it should look.
Step 2. Access Bind Config
● After install you can configure bind by going to Services → Bind Server
Step 3. Settings for Bind
Bind is a very powerful DNS server and capable of many things. As such, it has many many
configuration options that can be confusing. We will take things one tab at a time and I will
explain each relevant section and outline the settings needed and why they are needed.
Daemon Settings –
Enable Bind – Here you will check “enable bind” to enable the service.
Listen-on are the interfaces you want bind to listen on. Control+Click on any interfaces
you want bind to listen on. I do NOT recommend WAN!
Enable Notify – Unchecked, We don’t have any slave servers to worry about.
Hide Version – Unchecked, just an extra bit of security.
Limit Memory Use – The Default of 256mb is fine.
Leave logging disabled for now, if you have issues I recommend it set to:
Loggin Severity set to “Error” and Loggin Options set to “Default”
Response Rate Limit
Leave Rate Limit disabled for now (if you serve alot of clients or want to protect against
DDOS attacks you can enable)
Check forwarder to enable – List your ISP DNS or Google (220.127.116.11) using a semicolon ( ;
) after each one. EVEN IF YOU ONLY HAVE 1 SERVER LISTED YOU MUST END IN
A SEMICOLON ( ; ). Failure to do so will cause the service not to start as the config is
Here is a screenshot showing the config, note the trailing semicolon ( ; )
3.2 ACL Tab
Leave to default for all. You can if you wish setup other list to allow only certain IP’s.
Depending on your network config. If you don’t have a domain or active directory setup, you
most likely want the default ACL as all your clients on your network will all use PFSense as it’s
primary DNS server.
However, if you have active directory setup or another internal DNS server setup, you may want
to limit the DNS to only serve your servers behind PFSense.
Again, nothing wrong with leaving the default options set for now.
3.3 Views Tab
We are just going to setup one view. You could setup several types, but one will do for
us. We will call it “Everyones View” and set it to do Recursion, matching any clients (this
is the ACL we setup earlier) and allow-recursion to any.
In general, you are always going to use “everyones view” for your setup. Seeing how
only the LAN side of PFsense is really going to use the DNS server every client will need
the same settings.
Ahh zones, now we get to the complicated / fun blocking part. Since everything else is
configured we get to add zones our DNS server will control. These are the zones we want to
block. We will be using facebook.com for our examples. You can add as many zones(domains)
as you wish later such as Twitter, or Youtube.
Add a Zone
Click the plus button to start the add a zone wizard.
Domain Zone Configuration
Zone name – This is the domain you wish to block. So we enter facebook.com.
Description – This is not parsed so we can type anything here. we enter “blocking
Zone type – Master (as we want to be the authority for this zone)
View – Here we select which view to use, we are going to use the “everyone view” we
Reverse zone – Leave unchecked as this won’t deal with IP to domain DNS
No custom options are needed.
You can see a screenshot of our configuration on the next page.
This is skipped along with Slave Zone (as this is a master). Forward Zone config is also
skipped as it’s not a forward zone. This is not the same as Forwarding DNS Servers. We
configured those back in on the first Settings Tab.
Master Zone Config –
TTL – we set to 128 (should be plenty for internal DNS).
Nameserver – this the name of your PFsense box as a FQDN. I’ll set mine to
Base Domain IP – 127.0.0.1
Mail Admin Zone – hostmaster.example.com
Serial – any 32bit number, but typicall the format is YYYYMMDDXY (XY can be
anything, but we will use 01). This number doesn’t have to be accurate for this
configuration. but we will set it to 2013111201 for now (11/12/2013 date: 01 is my XY)
Refresh – 1d
Expire – 4w
Minimum – 1h
Allow-Update – UNMARKED we don’t want anyone but us updating this
Allow-Query – ANY we want everyone to be able to query this zone
Allow-Transfer – Unmarked – we don’t want this to propigate to anyone.
Zone Domain Records
Record = *
Type = A
Priority = Blank
Alias or IP = 127.0.0.1
We will add another for www just for good measure. Same settings, but the record will
be www. Now it should look like this:
Hit save and all should be well.
Step 4 Verify your settings
Hit the edit button next to our new zone and scroll to the bottom. We want to verify the settings
by comparing you’re resulting zone config file with our example:
You should see a screen like the screenshot on the next page:
Step 5. Add other zones you wish to block.
To add another zone to block we do the same steps outlined in Step 6. Just changing the
zone name to whatever domain you want. Twitter.com or Youtube.com are the most common