DNS filter#
DNS filtering integrates with third-party DNS-based content filtering software, default supported content filter is the one provided from FlashStart.
It basically links 2 components : filter configuration and network configuration.
Content filter configuration takes place entirely on the third-party platform, typically it is possible to block individual websites, as well as categories of sites (e.g. adult), manage exceptions, view reports and so on.
Network configuration is completely automated and is done on NethSecurity which takes care of:
connect the firewall to the specific third party instance
redirect all DNS requests to the external service
automatically update IP addresses of all connectivities
Note
Before configuring NethSecurity you need to create an account on FlashStart and configure the service. FlashStart is a payed service that allows you to use trial licenses. Please refer to the supplier’s documentation doc.
Once the account has been created and the service configured, NethSecurity can be configured.
Configuration#
You can enable and disable the filter by changing the Status toggle.
Authentication#
Insert same username and password of your FlashStart account (tipically an email address), then click Save button.
Zones to filter#
Choose zones to filter, only selected zones will be affected by DNS filter.
Bypass source IPs or networks#
All listed IP addresses or networks here will not be affected by DNS filter.
Note
To preserve the effectiveness of the content filter it is suggested blocking alternative DNS protocols (DoT, DoH) via Deep Packet Inspection (DPI) filter.
Warning
Do not make changes to the DNS servers configured in your NethSecurity or in network clients. When content filtering is enabled, all DNS traffic from the clients will be automatically redirected to the external content filtering regardless of their configuration.
Block certain websites#
If you need to block specific domains and FQDNs you can do it directly from the FlashStart configuration page, just go to the section “Protection”-> “Personal Blacklists” and add them there.
If you don’ have a subscription for FlashStart DNS Filter you can still make it directly on NethSecurity enabling AdBlock and, optionally, activating the DNS query interception feature for LAN clients.
Note
Please use AdBlock to block browsing only if you are not already using the FlashStart service cause if used together, they may conflict.
To enable AdBlock, execute:
uci set adblock.global.adb_enabled='1'
uci del adblock.global.adb_sources
uci commit
Enable DNS interception for the LAN:
uci set adblock.global.adb_forcedns='1'
uci add_list adblock.global.adb_zonelist='lan'
uci add_list adblock.global.adb_portlist='53'
uci commit
Add the domains that you want to block to the blocklist:
cat << EOF > /etc/adblock/adblock.blacklist
domain1.com
domain2.com
domain3.net
EOF
Start the service:
/etc/init.d/adblock start
Changes made to the blocklist require a reload of the service:
/etc/init.d/adblock reload
Warning
The DNS resolution for the names listed in the blocklist will also affect the firewall itself