DNS filtering for childs...

[lost]

Not really related to Domoticz... But a machine running 24/7 can be used for side-jobs!

My childs now have their own computer and I didn't wanted them to be able to make their sexual education on the net or being able to visit (intended or not, redirections can sometimes be surprising) violent sites...

As they are young enough to be unable to bypass a DNS filtering, I built a DNS filtering relay on the PI hosting Domoticz. After this, filtering the domains thay can visit is just a DNS setup on the PI IP address. I sent the stuff on the french forum:

https://easydomoticz.com/forum/viewtopi ... =10&t=5735

If google-translate's job is not good & some people here find it useful, I can translate explanations...

[jake]

I am running pi hole on the same rpi as domoticz.

[Egregius]

Pihole mainly targets on blocking ads.
I run pfsense with pfblocker and you can block all kinds of categories like adult, gambling,...

[Siewert308SW]

Nice...
I'm not going to crack anything because every solution is a good one.
I do PiHole aswell on a separate RPi3 which also contains a DOmo copy for logging gas/electric and automatic weather tweeting.
But PiHole has block lists which you can add manually via webgui.
Click/add and done, have several lists imported also for adult stuff, saves my little princess seeing my hobbies

[lost]

Pihole mainly targets on blocking ads.
I run pfsense with pfblocker and you can block all kinds of categories like adult, gambling,...

For blocking ads, I use the hosts file provided here since more than 10 years:
http://winhelp2002.mvps.org/hosts.htm

Instructions for windows are provided. For Linux, hosts file (the "DNS" in a file remnant that was used when there was only several hundreds/thousands machines connected to the arpanet!) is in path /etc/hosts.

Just take care to comment mvps hosts file first lines for local host:
#127.0.0.1 localhost
#::1 localhost #[IPv6]

And keep the ones from your original linux hosts file before appending mvps file content: In fact, localhost name from hosts file is used by several Linux utilities... Problem is sudo, to get admin rights for sudoer users, is in the list!
=> Not keeping these definitions will make sudo unusable. This is quite a problem on some linuxes like Ubuntu that do not activate root account by default: The only possibility to admin the machine is sudo, so you'll have to start on a live CD/mount your HDD root file system to be able to edit hosts files to restore host name definition... Quite annoying!

But with this, all ads and other parasites domains are blocked system wide (ie not only in the navigator) and without having to install firefox addons: You'll just get blanked contents were ads should be in web pages.

[Hesmink]

Alternatively you can use OpenDNS, and have it block certain categories, like adult sites.

[lost]

Alternatively you can use OpenDNS, and have it block certain categories, like adult sites.

I tried it... but it was not blocking some sites domains that looks popular in college playgrounds: So I'm not confident at all with openDNS categories blocking.
Anyway, if I do not use the DNS from my internet provider (even filtering some requests), there is a responsibility problem if my bank domain is redirected by a compromised DNS server. This was not a problem if setting openDNS only on childs computer, indeed (it was just not doing the job!)... but on a shared family computer, take care.

So I decided to manage this myself...

[Egregius]

With pfSense or Pihole you could combine this. Set your own set of filters and use OpenDNS as DNS server. Think it should be pretty safe then

[lost]

With pfSense or Pihole you could combine this. Set your own set of filters and use OpenDNS as DNS server. Think it should be pretty safe then

pfSense is supposed to be a FW... So not a filtering domain stuff. PiHole, I didn't know about it and discovered it's existence with this thread... But even if I knew it before, I usually prefer to stick to what is availlable in Debian repos. Even if configuration is less user friendly I agree!

[Egregius]

pfSense is so much more than just a firewall.
It also provides DHCP, DNS, several VPN services.
For security I added the pfBlockerNG packages wich allows to grab blacklist for the DNS resolver and add's GeoIP database to the firewall.
Thanks to that I don't have adds on any of my devices, without doing special settings or add-ons on each device. Because of the GeoIP database my web interface is only accessible from within Belgium and the surrounding countries.
In the 3 months that it's up and running now it already blocked 239565 connection attempts from other computers and protected my computers from 1017342 ad or malicious domains.

[lost]

pfSense is so much more than just a firewall.
It also provides DHCP, DNS, several VPN services.
For security I added the pfBlockerNG packages wich allows to grab blacklist for the DNS resolver and add's GeoIP database to the firewall.

That's the "problem" of solutions that integrates many features (or add them with time): You may not even consider they may fit your needs when searching, because only the top one (by use or development life) is clearly advertised!

It may probably have replaced many setups in my system: ufw for general rules + dynamic temporary ones by fail2ban for login robots on https & ssh, the later now being port-knocked to open because attackers now use lots of compromised machines when an IP is blocked ; dns filtering now.
Not sure I'll change now a working system, but I'll have a look to it's full feature set to have this possibility in mind in the future.

Thanks for the tip!

[Egregius]

You don't change a working system, you install a new one. pfSense requires a dedicated device as it can only be installed from an image.
I run it on top of ProxMox on a Intel Nuc. My domoticz runs in a separate VM.

[lost]

You don't change a working system, you install a new one. pfSense requires a dedicated device as it can only be installed from an image.
I run it on top of ProxMox on a Intel Nuc. My domoticz runs in a separate VM.

OK, so no regrets to have: For now, the only always-on machine I have is the PI hosting Domoticz! That's low power enough to be feed by the 5V USB from my modem that have it's 12V power backed (so both benefit). If I have more features to add, I should also use some containerization stuff on a machine with more horsepower, to better separate features (+ease reinstall process!)... But for now, the PI does the job!