Menu
What's new
By:
Filters Better Search

Using pfSense with a L3 core switch

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

coxhaus said:
Why not use QUAD9 and let it do domain management? It should stay current on the bad domains out there.
QUAD9 works great for me.
Click to expand...
I am going to give it a go. Quad9 is apparently Swiss so how bad can it be. I just updated my DNS settings in pfSense using THIS guide on the Quad9 website. Not sure if i can really test if there is any difference though. Let's see how that goes.
 
Last edited:
ddaenen1 said:
I am going to give it a go. Quad9 is apparently Swiss so how bad can it be. I just updated my DNS settings in pfSense using THIS guide on the Quad9 website. Not sure if i can really test if there is any difference though. Let's see how that goes.
Click to expand...

I got rid of the Quad9 DNS in pfSense yesterday. I noticed it was blocking off a couple of websites that i occasionally use and i can't have that.
 
sfx2000 said:
Yeah, blocking pornhub and xhamster can be a challenge, eh?

LOL
Click to expand...

And apologies - you kind of set that one up...

Both of those sites have actually been aggressively hit due to legislative actions in many areas...
 
ddaenen1 said:
I got rid of the Quad9 DNS in pfSense yesterday. I noticed it was blocking off a couple of websites that i occasionally use and i can't have that.
Click to expand...
You can set Domain Overrides on Unbound, so you will use other dns servers for these domains that get blocked.
I'm saying this because you may face blocks using other dns services too.
 
sfx2000 said:
Yeah, blocking pornhub and xhamster can be a challenge, eh?

LOL
Click to expand...

I would lie if i would say that i don't know pronhub but i have never ever heard of xhamster. In any case, it wasn't any of those but rather some subtitle websites that i use to add srt's to my media content.
 
Christos said:
You can set Domain Overrides on Unbound, so you will use other dns servers for these domains that get blocked.
I'm saying this because you may face blocks using other dns services too.
Click to expand...

I will look at that. I have had Cloudflare configured for quite some time as my DNS and never experienced any blocks. After i made the switchover to Quad9, some subtitle sites weren't accessible anymore. Changing back to Cloudfare fixed it instantly.
 
ddaenen1 said:
I will look at that. I have had Cloudflare configured for quite some time as my DNS and never experienced any blocks. After i made the switchover to Quad9, some subtitle sites weren't accessible anymore. Changing back to Cloudfare fixed it instantly.
Click to expand...

I've had good luck with Cloudflare DNS - I would trust them over the other public DNS services...
 
We are out of topic, but since we are talking about dns, I would post my thoughts:

Cisco Umbrella/Opendns:
+Spend the most money on dns infrastructure than anyone else
+Don't add any experimental features
-Have no malware blocking on the free tier.

Google DNS:
+Many locations and good infrastructure
-Experimental features (have their own dns software)
-No protection (malware or else)

Cloudflare:
+Many locations and good infrastructure
+Malware and porn protection (Cloudflare family)
-Experimental features (have their own dns software)

Quad9:
+Have the best malware protection for a free service
+Don't add any experimental features
-Poor company without many resources for datacenter and engineers, compared to competition.

Adguard public dns:
+Best ad-blocking service and decent anti-malware protection
-Experimental features (have their own dns software)
-Poor company without many resources for datacenter and engineers, compared to competition.
 
Christos said:
Cisco Umbrella/Opendns:
+Spend the most money on dns infrastructure than anyone else
+Don't add any experimental features
-Have no malware blocking on the free tier.
Click to expand...

They do it in non-intrusive and non-disruptive way:

1717530526779.png


Plus Web Content filtering with Custom Categories many others don't have:

1717530622827.png


Limitation - IPv4 only, no Custom Categories with IPv6 (at least last time I checked).
 
Christos said:
Quad9:
+Have the best malware protection for a free service
+Don't add any experimental features
-Poor company without many resources for datacenter and engineers, compared to competition.
Click to expand...

One of the best is CleanBrowsing. You may want to try it and see how it works for you.

Main site:
cleanbrowsing.org

CleanBrowsing | DNS Filtering Platform

Affordable DNS Filtering for schools, municipalities, libraries, transportation and parents.
cleanbrowsing.org

Free filters:
cleanbrowsing.org

Free DNS Filtering | Block Online Porn with CleanBrowsing

Free DNS Filters by CleanBrowsing allow you to filter adult, pornography, obscene and other similar content from your internet.
cleanbrowsing.org
 
Christos said:
Google DNS:
+Many locations and good infrastructure
-Experimental features (have their own dns software)
-No protection (malware or else)

Cloudflare:
+Many locations and good infrastructure
+Malware and porn protection (Cloudflare family)
-Experimental features (have their own dns software)
Click to expand...

Google and Cloudflare's DNS offerings are based mostly on the CDN and Cloud offerings - they needed to do it anyways, so why not make it publically available.

Curious as to when Amazon AWS starts to offer up Public DNS, as the internal Route53 service is quite good...
 
coxhaus said:
If I did not use QUAD9, I would Cisco's umbrella OpenDNS.
Click to expand...

QUAD9 does support DNS over HTTPS (DoH) which some folks might like

DoH with Quad9 DNS Servers | Quad9

DoH is a secure DNS protocol that is getting a lot of traction lately. Mozilla announced support for it in their Firefox browser and Google recently announced support for developers and Alphabet through Jigsaw released the Intra app for Android.
www.quad9.net www.quad9.net

OpenDNS also supports DoH - info below

 
Since we've been talking about changing DNS server, one thing to consider is clearing out the DNS caches on the client devices...

Mac

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

iOS - both iPad and iPhone

Airplane mode for 30 seconds - or just power cycle it

Win 10/11 - cmd as admin

ipconfig /flushdns

Android
  • Using Chrome: :
    1. Open Chrome
    2. Type chrome://net-internals/#dns in the URL bar
    3. Select DNS from the left pane
    4. Click Clear host cache in the right pane
 
sfx2000 said:
Since we've been talking about changing DNS server, one thing to consider is clearing out the DNS caches on the client devices...

Mac

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

iOS - both iPad and iPhone

Airplane mode for 30 seconds - or just power cycle it

Win 10/11 - cmd as admin

ipconfig /flushdns

Android
  • Using Chrome: :
    1. Open Chrome
    2. Type chrome://net-internals/#dns in the URL bar
    3. Select DNS from the left pane
    4. Click Clear host cache in the right pane
Click to expand...
And what does that do?
 
ddaenen1 said:
And what does that do?
Click to expand...

Clears out the DNS caches of the client devices - remember most, if not all, are cloud based, and with many services now using Content and/or Application Distribution Networks (e.g. CDN's), it's best to clear the clear the caches, as some domains have very long TTL for their lookups.

On pfSense - you can clear the caches on the router by restarting either dnsmasq or unbound, one doesn't have to restart the router, just restart the tasks - this applies to the resolver, and even if running as a forwarder, it doesn't hurt...
 
a4p.adpartner.pro
This is a malware domain, blocked by Mastercard.
Use dig command to see which dns providers actually block this malicious domain. (OpenDNS free plan does not block it, while Cisco Umbrella paid tier, blocks it as malware)

For example
Code: 
dig a4p.adpartner.pro @9.9.9.9
 
You must log in or register to reply here.

Similar threads

Phantomski
Questions about VLAN support in 3006
Replies
5
Views
527
Tech9
Tech9
Maverick009
Looking at purchasing a new WiFi7 AP. Deciding on brand to go with.
2
Replies
23
Views
4K
Tech9
Tech9
D
VLAN Config Query using pfSense and Unifi
Replies
18
Views
2K
awediohead
A
Oyster1286
Help with Designing Network (noob)
Replies
17
Views
2K
tgl
T
H
Asus Network design
Replies
13
Views
2K
OzarkEdge
OzarkEdge
Similar threads
Thread starter Title Forum Replies Date
C Using 2 routers (no bridge), DDNS configuration not working Routers 3
B Long shot but worth a shot? WFH using CISCO phone audio delay 5-10 seconds Routers 1
C Pfsense wins awards Routers 34

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 805 (members: 40, guests: 765)
Top