Blocking Domains with PFSense using Bind~!

###################################################
This document is not written by me. I just only want to note and
share who want to learn. (ejnetwork)
Author is denoted under below!
##################################################
Blocking Domains with PFSense using Bind
Last Updated: 11/13/2013
By: Phillip Tarrant

Purpose:
The purpose of this paper is to show how to use Bind and PFSense to create a DNS blackhole.
This will allow the administrator to block any domain from users. This is very useful if one
wishes to block HTTP and HTTPS traffic to a domain. Squidguard is great for blocking HTTP,
however, since HTTPS traffic is encrypted Squid cannot block or filter this traffic. A DNS
blackhole is the most accepted way known to blocking the domain from any traffic (this includes
ALL ports)!

Requirements: You will need the following
PFSense box running PFSense 2.0+
Know how to install packages on PFSense and have access to do such.
Some general Internet/DNS Knowledge. (Not required, but helpful)
Active Directory Note:
If you need to use another DNS Server (such as a Windows Server running Active Directory).
Simply have the Windows Server use PFSense as the only forward in it’s DNS Configuration.
This will allow the Windows clients in the domain still be able to see domain resources and the
AD Controller, but still be filtered. Bind in this configuration will still seek and resolve any internet
domains not expressly configured in it’s zone settings. DNS calls will be cached on Bind and
resolve faster for you. It’s a Win/Win.
Note: No firewall rules are needed for this configuration. The clients need to use PFSense
Internal IP (LAN, OPT1 etc) as their DNS Server. Preferably the only DNS Server in their config.
After changing your clients config, you may need to flush any DNS cache on the client.
Rebooting is the easiest way to do this.

Procedures:
Step 1. Install the Bind package
● Log into PFSense and go to the SYSTEM tab. Under that tab you will select Packages.
● Click on the Available Packages Tab.
● You are looking for the bind package.
● Below is a screenshot of how it should look.
Step 2. Access Bind Config
● After install you can configure bind by going to Services → Bind Server
Step 3. Settings for Bind
Bind is a very powerful DNS server and capable of many things. As such, it has many many
configuration options that can be confusing. We will take things one tab at a time and I will
explain each relevant section and outline the settings needed and why they are needed.

3.1Settings Tab
Daemon Settings –
Enable Bind – Here you will check “enable bind” to enable the service.
Listen-on are the interfaces you want bind to listen on. Control+Click on any interfaces
you want bind to listen on. I do NOT recommend WAN!
Enable Notify – Unchecked, We don’t have any slave servers to worry about.
Hide Version – Unchecked, just an extra bit of security.
Limit Memory Use – The Default of 256mb is fine.
Logging –
Leave logging disabled for now, if you have issues I recommend it set to:
Loggin Severity set to “Error” and Loggin Options set to “Default”
Response Rate Limit
Leave Rate Limit disabled for now (if you serve alot of clients or want to protect against
DDOS attacks you can enable)
Forwarder Config
Check forwarder to enable – List your ISP DNS or Google (8.8.8.8) using a semicolon ( ;
) after each one. EVEN IF YOU ONLY HAVE 1 SERVER LISTED YOU MUST END IN
A SEMICOLON ( ; ). Failure to do so will cause the service not to start as the config is
not correct!
Here is a screenshot showing the config, note the trailing semicolon ( ; )

3.2 ACL Tab
Leave to default for all. You can if you wish setup other list to allow only certain IP’s.
Depending on your network config. If you don’t have a domain or active directory setup, you
most likely want the default ACL as all your clients on your network will all use PFSense as it’s
primary DNS server.
However, if you have active directory setup or another internal DNS server setup, you may want
to limit the DNS to only serve your servers behind PFSense.
Again, nothing wrong with leaving the default options set for now.

3.3 Views Tab
Views –
We are just going to setup one view. You could setup several types, but one will do for
us. We will call it “Everyones View” and set it to do Recursion, matching any clients (this
is the ACL we setup earlier) and allow-recursion to any.
In general, you are always going to use “everyones view” for your setup. Seeing how
only the LAN side of PFsense is really going to use the DNS server every client will need
the same settings.

3.4 Zones
Ahh zones, now we get to the complicated / fun blocking part. Since everything else is
configured we get to add zones our DNS server will control. These are the zones we want to
block. We will be using facebook.com for our examples. You can add as many zones(domains)
as you wish later such as Twitter, or Youtube.

Add a Zone
Click the plus button to start the add a zone wizard.
Domain Zone Configuration
Zone name – This is the domain you wish to block. So we enter facebook.com.
Description – This is not parsed so we can type anything here. we enter “blocking
facebook”
Zone type – Master (as we want to be the authority for this zone)
View – Here we select which view to use, we are going to use the “everyone view” we
setup earlier.
Reverse zone – Leave unchecked as this won’t deal with IP to domain DNS
No custom options are needed.

You can see a screenshot of our configuration on the next page.
DNSSEC
This is skipped along with Slave Zone (as this is a master). Forward Zone config is also
skipped as it’s not a forward zone. This is not the same as Forwarding DNS Servers. We
configured those back in on the first Settings Tab.

Master Zone Config –

TTL – we set to 128 (should be plenty for internal DNS).
Nameserver – this the name of your PFsense box as a FQDN. I’ll set mine to
pfsense.example
Base Domain IP – 127.0.0.1
Mail Admin Zone – hostmaster.example.com
Serial – any 32bit number, but typicall the format is YYYYMMDDXY (XY can be
anything, but we will use 01). This number doesn’t have to be accurate for this
configuration. but we will set it to 2013111201 for now (11/12/2013 date: 01 is my XY)
Refresh – 1d
Expire – 4w
Minimum – 1h
Allow-Update – UNMARKED we don’t want anyone but us updating this
Allow-Query – ANY we want everyone to be able to query this zone
Allow-Transfer – Unmarked – we don’t want this to propigate to anyone.

Zone Domain Records

Record = *
Type = A
Priority = Blank
Alias or IP = 127.0.0.1
We will add another for www just for good measure. Same settings, but the record will
be www. Now it should look like this:
Hit save and all should be well.

Step 4 Verify your settings

Hit the edit button next to our new zone and scroll to the bottom. We want to verify the settings
by comparing you’re resulting zone config file with our example:
You should see a screen like the screenshot on the next page:
Step 5. Add other zones you wish to block.
To add another zone to block we do the same steps outlined in Step 6. Just changing the
zone name to whatever domain you want. Twitter.com or Youtube.com are the most common
request.

Advertisements

Make Microsoft Security Essentials Update Distribution Server~!

AntiVirus Solution ေတြထဲမွာ အေကာင္းစား Program ေတြအေျမာက္အျမားရွိပါတယ္။
ဒါေပမဲ့ အိမ္သံုး အေသးစားလုပ္ငန္းေတြအတြက္ တစ္ႏွစ္လိုု္င္စင္ဆိုတာ ကၽြန္ေတာ္တို႕ လို
ျမန္မာႏိုင္ငံသားေတြအတြက္ အဆင္မေျပပါဘူး။ ဒါေၾကာင့္ Microsoft ကေန Free ရေနတဲ့ Microsoft Security Essentials ကို သံုးျဖစ္ပါတယ္။ တခုရွိတာက အဲ့ဒီ MSE ဟာ
အေသးစားနဲ႕ အိမ္သံုးေလာက္ေတြအတြက္ပဲ ထုတ္ေပးတာျဖစ္ပါတယ္။ ၁၀လံုးသို႕မဟုတ္ ၁၀လံုးထက္ပိုသံုးခြင့္ေတာင္ ေပးမထားပါဘူး။ ဥပမာ စက္၁၀လံုးရွိရင္ တစ္လံုးခ်င္းစီ လုိက္ပီး
Update လုပ္ေပးရမွာပါ။ Update Distribution Server ပံုစံမ်ိဳး Feature လည္းထည့္
ေပးမထားပါဘူး။ အဲတာနဲ႕ ကၽြန္ေတာ္လည္း Googling ေပါ့။ လုပ္ထားတဲ့ မူရင္း Project ပိုင္ရွင္ရွိပါတယ္။ ဒီလင့္ခ္မွာ သြားေလ့လာလို႕ရပါတယ။္ http://rafaelwolf.com/?p=725
သူ႕အတိုင္းလိုက္လုပ္ၾကည့္ပါတယ္။ တခ်ိဳ႕ Dos command ေတြဟာလဲမွားေနတာေတြ႕ပါတယ္။
တကယ့္ UNC path update ကလဲ အလုပ္မလုပ္ပါဘူး။ ရေအာင္ လိုက္လုပ္ၾကည့္ရင္း
Windows Update Service ဖြင့္ခိုင္းလိုက္ Windows Update လုပ္ခိုင္းလိုက္နဲ႕အဆင္မေျပ ပါဘူး။ အဲေတာ့ ျမန္မာ့နည္း ျမန္မာဟန္ Copy လုပ္ဖို႕ စိတ္ကူးလိုက္ပါတယ္။ အဆင္လဲေျပ ပါတယ္။ MSE ဟာ Online Update လုပ္လိုက္တိုင္း သူ႕ရဲ႕ path လမ္းေၾကာင္း ဖိုင္နာမည္ကို ေျပာင္းလဲပစ္ပါတယ္။ပီးေတာ့ သူ႕ရဲ႕ သိမ္းတဲ့ Definitions Folder ဟာ XP နဲ႕ Windows 7 မွာ နည္းနည္းမူကြဲပါတယ္။ Windows 8 ကေတာ့ မစမ္းသပ္ရေသးပါဘူး။

Step 1 – Update Distribution Server အျဖစ္ အသံုးျပဳမဲ့စက္ကို Folder တစ္ခုေဆာက္ပီး Share ေပးထားပါ။ permission နဲ႕ security ကို everyone ေပး ထားပါ။

Step 2 – အင္တာနက္ရွိတဲ့စက္ကေန MSE update EXE ဖိုင္ mpam-fe ကို ေဒါင္းထားပါ။ ပီးရင္ WinRAR ျဖစ္ျဖစ္ တခုခုနဲ႕ Extract လုပ္ေပးပါ။

Step 3 – ခုန extract လုပ္ထားတဲ့ Folder ထဲက exe ဖိုင္ တစ္ဖိုင္ထဲကိုခ်န္ထားပီး က်န္တာအကုန္ကူးပီး Share လုပ္ထားတဲ့ Folder ထဲကိုထည့္ေပးပါ။ ဒါဆို Server ပိုင္း
လုပ္စရာကုန္ပါပီ။

Step 4 – Client ေတြဘက္ကိုေတာ့ Pre-configure Batch ဖိုင္တစ္ဖိုင္ကို Windows Startup ထဲထည့္ေပးပါ။ Logon Script အေနနဲ႕ သံုးလဲရပါတယ္။ ကၽြန္ေတာ္ ကေတာ့ Startup ထဲပဲ ထည့္ပါတယ္။ ဒါဆိုရင္ စက္တက္တိုင္းတက္တိုင္း Server ဆီကေန ဖိုင္ကို Update လုပ္ေနမွာျဖစ္ပါတယ္။

ႈImportant Notes: : ကၽြန္ေတာ္ပထမေျပာခဲ့တဲ့အတိုင္း Destination Folder Name ဟာစက္တခုခ်င္းစီ မတူပါဘူး။ ဒါေၾကာင့္ Client မွာ Startup ထည့္တိုင္း အဲ့ဒီ Client ရဲ႕ Destination Folder Name ကို Batch Script ထဲက Client Destination ေနရာမွာ သြားျပင္ေပးယံုပါပဲ။ အိုေက

ေအာက္ကဟာကို Copy ကူးပီး လုိအပ္သလိုျပင္ပါ။

@echo off
echo:
echo ———————————————————————-
echo “Batch Scripting By”
echo – Hla Tun ( ———- Co., Ltd )
echo ———————————————————————-
echo:
::Client Destination
set usoe=”%homedrive%\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A48B189B-6869-484E-809A-F2EEB88A08C0}”
::Server Source
set ukh=”\\1.1.1.1\avupdate\mpam-fe”
echo:
echo Shutting Down Microsoft Malware Protection Center ~~!!
echo:
net stop msmpsvc
If exist “%usoe%\mpavdlta.vdm” goto upload
echo Update Files Not Exist~~
goto exit
echo:
:upload
echo:
echo Malware Protection Data Uploading …
echo:
xcopy %ukh% %usoe% /R /Y /Z
echo:
echo Starting Up Microsoft Security Client ~~!!
echo:
net start msmpsvc
echo:
echo ————————————————————————
echo Data Updating is Completed ! Finished !
echo ————————————————————————
echo Bye Bye ~! 
echo ————————————————————————
echo:
:exit
pause

How to install WindowsNT Service (Batch Program) ~!

# NT Service ထဲကို install လုပ္တဲ့ပံုစံပါ။ Google မွာရွာၾကည့္ရင္ေတာ့ Visual Studio သံုးပီးေတာ့ Variable ထည့္တဲ့ဟာေတြ၊ .Net Framework သံုးတဲ့ဟာေတြပဲ ထြက္လာပါတယ္။

# ခက္တာက ကၽြန္ေတာ္က အရင္တုန္းက World Of Warcraft Server လုပ္ထားဖူးေတာ့ Apache, MySQL တို႕ကို Batch Program နဲ႕ Run တာ ျမင္ဖူးထားပါတယ္။ အဲဒီေတာ့ေထြေထြ ထူးထူး မရွာေတာ့ပဲ စက္မွာသြင္းထားတဲ့ XAMPP ဘက္ကို ဦးလွည့္လိုက္ပါတယ္။ အထဲ Directory ထဲကို ၀င္ၾကည့္ပီး နည္းနည္း နမူနာယူလိုက္တယ္ေပါ့။ ကၽြန္ေတာ္ထည့္တာကေတာ့ တျခား Service ပါ။ ဒါေပမဲ့ ပံုစံကို example အေနနဲ႕ Notes မွတ္ပါမယ္။ ေနာက္ျပန္ၾကည့္လို႕ရတာေပါ့။

# Install Service

@echo off
echo:
echo Batch Scripting By Hla Tun ( _________________ Co., Ltd ) ~~~!
echo:
if “%OS%” == “Windows_NT” goto WinNT

:WinNT
echo:
echo Installing Service On Baby Computer!
echo:
“path” –install servicename -c “config_path”
echo:
echo Finished!
echo:
:exit
pause

# Uninstall Service

@echo off
echo:
echo Batch Scripting By Hla Tun ( _______________ Co., Ltd ) ~~~!
echo:

if “%OS%” == “Windows_NT” goto WinNT

:WinNT
echo:
echo Time To Say Goodbye Service ….
echo:
“path” –uninstall servicename -c “config_path”
echo:
echo Successfully Remove ~!
echo:
:exit
pause

How to install ownCloud~!

OwnCloudAdditional Information:
######################
Windows (XAMPP)
######################

ဘာမွျပင္စရာမလိုပါဘူး။ DB တခုေဆာက္ၿပီးေပၚလာတဲ့ Instructionအတိုင္းလိုက္လုပ္သြားယံုပါပဲ။

######################
Linux (Ubuntu)
######################

Linux မွာေတာ့ ျပသာနာရွိပါတယ္။ Permission ပိုင္းနည္းနည္းသတ္မွတ္ေပးရပါမယ္။ ႏို႕မို႕ဆို
တခုပီးတခုုပီး error ေပၚလို႕ၿပီးမွာမဟုတ္ပါဘူး။

> chown -R www-data:www-data /var/www/cloud/*
> chown www-data:www-data apps
> chmod 750 apps config
> chmod -R 770 data
> chown -R www-data:www-data data

ဆိုပီး သတ္မွတ္ေပးရပါမယ္။

>>>>>>> MDB2 error connect (BLAH BLAH BLAH) <<<<<<<

ဆိုပီး တက္လာခဲ့ရင္ /etc/www/owncloud/lib/setup.php ေအာက္မွာဒါေလးသြားျပင္ ေပး ရပါမယ္။
# $dbtableprefix=isset($options[‘dbtableprefix’]?$options[‘db’]:’oc_’;

ဆိုတဲ့ေနရာမွာ –

# $dbtableprefix=$options[‘dbtableprefix’];

ဒီဟာေလးကိုျပင္ထည့္ေပးရပါ့မယ္။ အသံုးျပဳတဲ့ DB ေပၚမွာ မူတည္ၿပီးေတာ့ ျပင္ေပးရမွာျဖစ္ပါတယ္။

How to Fix *No More Connection error* on XP SP2~!

No more# ကၽြန္ေတာ္တို႕ Windows XP သံုးၿပီး Network Sharing လုပ္က်တဲ့အခါမွာ ဒီလိုမ်ိဳး error  ကို ႀကံဳဖူးက်မွာပါ။

# ဥပမာ အင္တာနက္ဆိုင္ တစ္ဆိုင္ေပါ့။ Client ၁၅လံုးရွိတယ္ဆုိပါစို႕။ ၁လံုးမွာ Cafe Management Server နဲ႕ လာသံုးတဲ့သူေတြ အပ်င္းေျပေအာင္ MTV, Small Game, MP3 အစရွိသျဖင့္ Share ထားတက္ၾကပါတယ္။

# က်န္ ၁၄လံုးဆီကို Map Network Drive ပံုစံမ်ိဳးနဲ႕ Desktop မွာ တင္ေပးထားေလ့ ရွိပါတယ္။

# ဆိုင္က လူက် လာပါၿပီ။ ခ်စ္သူမ်ားေန႕ဆိုပါေတာ့။ စက္အျပည့္ေပါ့။ လူတိုင္းက အင္တာနက္သံုးရင္းနဲ႕ အပ်င္းေျပ သီခ်င္းနားေထာင္မယ္၊ zuma ေဆာ့မယ္၊ MTV ၾကည့္မယ္၊ ဘာဘာညာညာနဲ႕ Server ဆီက Resource ကိုလွမ္းသံုးပါၿပီ။

# ကဲ…အဲ့မွာကုိယ္ထိုင္ထားတဲ့ Server က NOS ကလဲ မဟုတ္ျပန္။ ရိုးရိုး XP ဆိုရင္ေတာ့ အေပၚက error မ်ိဳးေပၚရင္ ဒုကၡနဲ႕ လွလွ နဲ႕ စေတြ႕ပါၿပီ။

# DOS ျဖစ္တဲ့ XP ကို စတင္ေရးစဥ္ကတည္းက maximum Concurrent connection ကို ၁၀ ဆိုပီး ထည့္ေရးေပးလိုက္ပါတယ္။ အဲတာေၾကာင့္ A+, Networking သင္တန္းေတြမွာ workgroup ခ်ိတ္ရင္ ၁၀ လံုးထက္(သို႕) ၁၀လံုးထက္မပိုဘူးလို႕ သင္ခဲ့ရၾကပါတယ္။

# အဲဒီ error ကို ဒီ Patcher ေလးနဲ႕ ေျဖရွင္းလို႕ရပါတယ္။ file ကေတာ့ TCPIP.SYS ဆိုတဲ့ ဖိုင္ေလးပါ။

Credit to: : http://www.lvllord.de/

Download Here: : http://www.lvllord.de/download.php?url=en/EvID4226Patch223d-en.zip

# Maximum Concurrent Connection ကို 10 to 16,777,214 ထိ Change Limit သတ္မွတ္ေပးလို႕ရပါတယ္။

# ံHacker နဲ႕ Cracker သမားေတြကို ဘယ္လိုပဲျဖစ္ျဖစ္ ေက်းဇူးတင္ရမွာေတာ့ အမွန္ပါပဲ 🙂

How to install Zawgyi Keyboard Layout on Ubuntu 12.10~!

How to install zawgyi~@

# ubuntu မွာ installation လုပ္တဲ့အပိုင္းကို သူ့ရဲ့ Official site မွာတင္ထားေပးပီးသားပါ။ ver.9 — ထင္ပါတယ္။ လင့္ခ္ကေတာ့ဒီမွာပါ။

http://code.google.com/p/zawgyi-keyboard/

*Credit to –developer*

# အခုအခ်ိန္မွာေတာ့ zawgyi_keyboard_0.3.3.tar.gz ထိပဲရွိပါေသးတယ္။ကဲ.. အဲတာကို ေဒါင္းလိုက္ပါမယ္။

# ေဒါင္းပီးသြားရင္ terminal ထဲကေန Download လုပ္ထားတဲ့ေနရာကိုသြားပါမယ္။

> cd /> cd /home/ej/Downloads

# ပီးရင္ tar command သံုးျပီး zip ျဖည္ခ်ပါမယ္။

> tar zxf zawgyi_keyboard_0.3.3.tar.gz

# ပီးရင္ zawgyi directory ထဲကို ထပ္၀င္လိုက္ပါ၊ python script extension *py* နဲ့ဆံုးတဲ့ဟာကို *run* ပါမယ္။

> python zawgyi_keyboard.py

# option ေတြကိုေတြ့ျမင္ရမွာ ျဖစ္ပါတယ္။ ကိုယ္က install လုပ္မွာျဖစ္တဲ့အတြက္*i* ထည့္ရိုက္ေပးပါ။ installation ျပီးသြားတဲ့အခ်ိန္က်ရင္ စက္ကို effect ျဖစ္ဖို့ restart လုပ္ဖို့ inform ေပးပါလိမ့္မယ္။ reboot လုပ္ေပးလိုက္ပါ။

# ျပန္တက္လာတဲ့ အခ်ိန္က်ရင္ system setting ထဲကို သြားပါ။ Keyboard Layout ထဲကို ၀င္ပါ။ ဘယ္ဘက္ေထာင့္စြန္းေအာက္နားမွာ + sign ေလးကို ကလစ္နွိပ္လိုက္ပါ။

# Choose a layout ဆိုတဲ့ Box ေလးတစ္ခုတက္လာပါလိမ့္မယ္။ အဲဒီမွာ Burmese ဆိုတဲ့ဟာကို Add လုပ္ေပးပါ။ ဒါဆို ေဘးဘယ္ဘက္ layout ဘက္မွာ Burmese ဆိုပီး လာေပါ္လာပါလိမ့္မယ္။

# layout change ဖို့အတြက္ Key Sequence  ကို layout မွာ Burmese ကိုေရြးပီးေတာ့ option ကိုေရြးေပးပါ။ Key(s) to change layout မွာ ကိုယ္နဲ့အဆင္ေျပမဲ့ Key Sequence ကို ေရြးနုိင္ပါတယ္။

Visual bcdeditor~!

bcdedit

# XP မွာဆိုရင္ေတာ့ boot.ini ဖိုင္ဆိုပီး ပါပါတယ္။ boot မတက္ေတာ့ရင္ ျပန္ create  လုပ္ေပးရပါတယ္။ မေရးတက္ရင္လည္းပူစရာမလိုပါဘူး။ တက္ေနတဲ့စက္ကေန copy ကူးပီး၊ ပုံမွန္တင္ေနက် Partition အပိုင္းဆုိရင္ ျပင္စရာမလိုပဲနဲဲ႕၊ တျခား Partition ေတြမွာ တင္ထားခဲ့ရင္ Partition နံပတ္ကိုေျပာင္းေပးယံုုပါပဲ။

# vista, 7 နဲ႕ Server 2008 တို႕မွာဆိုရင္ေတာ့ boot manager editor ဆိုပီး system information ဖိုင္ ini နဲ႕ မလာပဲနဲ႕ exe နဲ႕ ပါလာပါတယ္။ configuration အပိုင္းကလဲ ရႈပ္ပါတယ္။

# ျဖစ္တဲ့ျပသာနာက windows 7 တင္ပီးေတာ့မွ Server 2008 ကို Dual  တင္ လိုက္ တာပါ။ Server 2008 လဲတင္ပီးေရာ၊ windows 7 ပါမလာေတာ့ပဲနဲ႕ Server 2008 ပဲ တက္ပါေတာ့တယ္ 😀

# Gooogling လုပ္ၾကည့္ေတာ့ visual bcdeditor  ဆိုပီးသြားေတြ႕ပါတယ္။ သံုးရတာလဲ လြယ္ပါတယ္။ ကၽြန္ေတာ္ကေတာ့ Automatic Repair နဲ႕ပဲ ကိုင္လိုက္ပါတယ္။

# ျပန္တက္လာတဲ့အခါက်ေတာ့ OS Choice Menu နဲ႕ ျပန္တက္လာပါလိမ့္မယ္။ အိုေကသြားပီေပါ့ 🙂