Pfsense and 1.1.1.3 not blocking adult content

I changed my DNS servers to 1.1.1.3 and 1.0.0.3. I blocked all request for dns at port 53 and also ensure that secure request are sent to the above servers. They forward to the localhost so even https is resolved by cloudflare. When I check with DNS server I am using I do get this: 108.162.218.19 which I am pretty sure is s cloudflare server.

I am selecting my WAN gateway to make sure all requests go via cloudflare and also I addes this to the DNS resolver:
forward-zone:
name: “.”
forward-ssl-upstream: yes
forward-addr: [email protected]
forward-addr: [email protected]

What am I missing from this?
Any help will greatly appreciated or suggestions.

Probably a similar issue to what I have been experiencing with Android’s automatic private dns (DoT) with 1.1.1.3 https://community.cloudflare.com/t/1-1-1-3-android-automatic-private-dns-no-filtering/163999/5

Do you have Experimental Bit 0x20 Support enabled? This is in pfSense — Services — DNS resolver — Advanced Settings, near the bottom.

Also, what do you regard as “Adult Content”? I ask in case the issue lies their and not with the Unbound config. Dnsmasq has had issues with system time misalignments causing DoT traffic to fail irregardless of the provider, though I don’t recall what pfSense has built in as its resolver / forwarder.

The resolver is unbound. pfSense also offers a forwarder, but the configuration above indicates the resolver is being used.

As for what is considered adult or the various other categories, I have no idea. They are using one or more external categorization services, but I’m not sure if they have disclosed any details publicly. I use the test domains for testing purposes as I prefer to have unfiltered access to the world.

2 Likes

Hi, sorry for the delay in replying. thank you. Interesting post. I guess it is similar

hello, I apologize for the dealy. I just enabled it to test it for a few days. How will this be different in the actual blocking?

I am trying to make sure that sites such as porn hub or red tube or the like are blocked.
I guess phonographic would be a better description.

Could it be dnsmasq?

I am guessing since the first problem they had with categorizing something in a way they did not mean to do it, then I would think the filter is a little less strict and more broad. I am looking to block pornographic content with the dns service rather than blocking some specific things. I would rather do it with this than with say opendns… thanks again for the replies

It may. Have a look here to see some extremely expertly advice on these matters:

Also note that you can, if the option exists in pfSense, use opportunistic DoT, or as a stop-gap not use it and instead push 1.1.1.3 and 1.0.0.3 directly to all clients in your LAN. That would disallow use of DoT but does in fact work as was confirmed here:

If you must use Cloudflare DNS, then I would disable DoT. It seems they still do not support filtering with DoT. The most annoying thing is that android will automatically switch to DoT when resolvers are set to 1.1.1.3. This causes adult filtering to stop working unless you manually touch every Android device and change the automatic private dns to Off instead of automatic. That is why I switched back to OpenDNS family shield until CF figures it out.