This set of scripts is intended to build a RPZ zone for bind server. It adds DNS filtering based on categorized blacklists.
This is a great alternative over squiguard, as it blocks also SSL sites without client config. It works with transparent squid proxy.
It also adds safesearch capabilities for most popluar search engines. (Unless yahoo)
Bind from ISC is the server I prefer. it consumes much less CPU than dnsmasq. for adult (porn) filter (the biggest category), your server need at least 2Gb of RAM.
-
verify settings variables suit your distro. pfsense needs bind9 package. For Debian :
apt-get install bind9 -
launch setup.sh It needs an IP to redirect bad content to. It could be the pfsense's LAN IP, but need to disable auto redirect web config and change port. for pfsense : It launches an instance of nginx with same certificates which listen on port 80 and 443. (quick and dirty script in /usr/local/etc/rc.d)
-
launch
bind-update.shin INSTALLDIR check categories and search engines you want to filter -
launch
bind-build.shin INSTALLDIR -
modify your named config :
add this code in general custom option pfsense's bind package ui. For Debian modify file /etc/bind9/named.conf.options
check-names response ignore;
response-policy { zone "easyfilter.local"; };
pfsense : Decalre this zone in your view's custom settings.
Debian : add this in /etc/bind/named.conf.local
zone "easyfilter.local" {
type master;
file "easyfilter.db";
allow-query { none; };
};
- restart your named server and check for errors in syslog.