Block Local DNS Traffic from passing over proxy server

Filter DNS traffic after blocking websites with Squid
Let’s assume that you have installed and configured Squid Proxy to block several categories of websites that you don’t want your users or clients to visit .. 
In some places maybe interference on client machines or applying group policy on AD is not strict thing and might give the option to users to pass through
proxy rules .. so I have considered the same thought and said after I have configured squid proxy to block certain websites (Porn, chat, social…etc) using the
Wpad autodiscover method.. I said in case I change the DNS the user will pass through the proxy and find away to connect to those blocked websites. 
Then I thought what if I can block external DNS queries and let all the DNS queries pass through the Pfsense or my internal DNS..
To do so I have configured my PFsense’s WAN DNS IP to Google (System>General Setup> 
clip_image001

I have added my Local DNS to the DNS resolver  (Pfsense Version 2.2) 
clip_image002
Next I will go to the Rules and go to my LAN (DMZ in my case) and create 3 rules in total as following:
The rules in the figure below will allow any DNS query request from any source through only (Local Address of the Pfsense) and
the second rule will allow DNS requests from the local DNS Server to any DNS server. 
Third rule will blcok any DNS request from anywhere else. 
clip_image003
Which in result will allow all clients to forcefully use the local DNS to resolve names and resolve IPs, but still even if the
user changed his Local LAN/Wifi DNS IP to Google still he’ll be able to connect to the allowed websites from SQUID but
he/she won’t be able to resolve FQDNs through (Nslookup command) for example. 
I’m attaching screenshots to demonstrate how this is working flawlessly. 
As you can see below I have opened google, Flickr, Facebook, gmail, searched for local time and it all worked according to the Squid rules and while still using (8.8.8.8) 
clip_image004
Now I will change the DNS back to the local DNS IP and see if i can resolve internet addresses without an issue and connect as well, which worked fine too.
clip_image005
This is a simple article but I’m sure it could be very useful for those companies who want to block wide range of categories
and force it on to their employees. or for families who want to avoid their kids from doing naughty stuff or watch violent websites. 
From <http://www.moh10ly.com/blog/pfsense/filter-dns-traffic-after-blocking-websites-with-squid>

Technorati Tags: ,,,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.