1.1.1.3 and 1.0.0.3 do not seem to be blocking Adult content anymore.
NSLookup results:
pornhub_com
Server: [1.1.1.3]
Address: 1.1.1.3
Non-authoritative answer:
Name: pornhub_com
Address: 66.254.114.41
server 1.0.0.3
Default Server: [1.0.0.3]
Address: 1.0.0.3
pornhub_com
Server: [1.0.0.3]
Address: 1.0.0.3
Non-authoritative answer:
Name: pornhub_com
Address: 66.254.114.41
.com replaced by _com
I’m unable to reproduce. Perhaps your ISP is intercepting queries. What is the result of
nslookup -class=chaos -type=txt id.server 1.0.0.3
PS C:\Users\randy.hutton> nslookup -class=chaos -type=txt id.server 1.0.0.3
Server: UnKnown
Address: 1.0.0.3
*** UnKnown can’t find id.server: Not implemented
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you may not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Then you’re not communicating with Cloudflare for Families for DNS queries. Something else is intercepting / responding to that query.
Just found out that Comcast Security Edge hijacks all DNS requests. Thanks for pointing me to something outside the PFSense firewall.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you may not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
You might try using DoT with hostname verification in your pfSense.
pfSense has a guide: pfSense® software Configuration Recipes — Configuring DNS over TLS | pfSense Documentation
The have a forum, too, if you have pfSense specific questions.
DoH works, too. It’s even on the normal HTTPS/443 port, which makes it easier.
As much as I generally am a DoH-hater because of the risk it introduces to a business network, it was my first thought here. I didn’t find any documentation supporting its use in pfSense, hence the DoT reccomendation.
Thanks for the suggestion, I like this option better and will try it out.
I was able to contact Comcast Business and get them to disable the Security Edge Internet Security Protection. Once disabled, the DNS queries to 1.1.1.3 and 1.0.0.3 responded correctly.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you may not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.