Блокировка видео/Block video

drknssc

@stephenw10 said in Блокировка видео/Block video:

Итак, чего вы пытаетесь достичь? Сайт вообще не должен загружаться?

Да, сайт загружаться должен. Мне надо заблокировать поток, допустим, место видео, будет ошибка!

drknssc

@johnpoz said in Блокировка видео/Block video:

Какой конкретный сайт вы пытаетесь заблокировать, было бы проще дать вам конкретные инструкции таким образом.

Sounds silly, but first let's try YouTube :DD

johnpoz

@drknssc said in Блокировка видео/Block video:

Sounds silly, but first let's try YouTube :DD

unbound custom options box.

server:
local-zone: "youtube.com" always_nxdomain

They are not going to resolve anything.youtube.com, or just youtube.com or whatever.something.otherthing.youtube.com

Youtube has a lot of domains it could be accessed from, easy enough to look them up and set unbound to not resolve them.

drknssc

@johnpoz said in Блокировка видео/Block video:

@drknssc said in Блокировка видео/Block video:

Sounds silly, but first let's try YouTube :DD

unbound custom options box.
server:
local-zone: "youtube.com" always_nxdomain
They are not going to resolve anything.youtube.com, or just youtube.com or whatever.something.otherthing.youtube.com

Youtube has a lot of domains it could be accessed from, easy enough to look them up and set unbound to not resolve them.

Where is this to be entered?

johnpoz

@drknssc in the custom box in unbound config

stephenw10

In the Resolver custom options:
Screenshot from 2022-08-05 14-33-40.png

drknssc

@stephenw10 Okay, thanks a lot! Run to test! And last question :D
To block a video on Instagram, do the same with only the instagram.com domain?

johnpoz

@drknssc sure this can be done with any domain. What can not be done is allow access to domain xyz.com but block say xyz.com/something

This would have to be done with a proxy - if the the goal is just preventing a client behind pfsense using pfsense as their dns from going to some domain, its a simple dns block.

No special firewall rules needed, not blocking of whole ASNs, etc. etc.

edit: pfblocker can be leveraged for all kinds of dns related stuff as well, loading domains from a public list, blocking whole domains as well, etc.

Kind of hard to load up youtube.com if they can not resolve it - problem is client browser might use doh in their browser to try and circumvent your dns. Or if the site is reachable via just IP vs some fqdn. Then you would need to block the IP or IP ranges or even the whole ASN of some company, etc. But blocking clients from using other dns is easy, blocking doh a bit harder but also can be done with known lists of doh servers, etc.

Notice the use-application-dns.net in mine - that is canary domain to tell firefox browsers not to use doh, etc.

stephenw10

Yeah that is going to block all of youtube and instagram. Blocking just the videos is far more difficult.

drknssc

@stephenw10
Thanks for the help, but the video still plays..
alt text

I need something like this
alt text

I will wait for the response of mega people! Who can easily help me and explain how it is done!

stephenw10

The client may have cached something. Try testing in a new private window.

Or it might not be using pfSense for DNS.

johnpoz

@stephenw10 said in Блокировка видео/Block video:

Or it might not be using pfSense for DNS.

yup quite possible its using doh - the browsers love to default to using doh and bypassing your local dns.

From a cmd line do a directed query for youtube.com, or www.youtube.com using your fav client dig, nslookup, host etc..

Does it come back with IP, then your setup is wrong or your not using unbound on pfsense, or your not pointing to pfsense on that client for dns. If it comes back as nxdomain then yoru setup is right and either the client is not using you for dns, or it was cached, etc.

stevendenassol

@johnpoz said in Блокировка видео/Block video:

@stephenw10 said in Блокировка видео/Block video:

Or it might not be using pfSense for DNS.

yup quite possible its using doh - the browsers love to default to using doh and bypassing your local dns.

From a cmd line do a directed query for youtube.com, or www.youtube.com using your fav client dig, nslookup, host etc..

Does it come back with IP, then your setup is wrong or your not using unbound on pfsense, or your not pointing to pfsense on that client for dns. If it comes back as nxdomain then yoru setup is right and either the client is not using you for dns, or it was cached, etc.

Hey! I'm a little dumb in this area, could you explain to me how to do this?

stephenw10

For example:

steve@steve-MMLP7AP-00 ~ $ dig youtube.com +short
142.250.187.206
steve@steve-MMLP7AP-00 ~ $ dig @8.8.8.8 youtube.com +short
142.250.187.206
steve@steve-MMLP7AP-00 ~ $ dig @172.21.16.1 youtube.com +short
142.250.187.206

If you have the override setup correctly a query to the local pfSense IP will fail.

Steve

drknssc

@stephenw10 said in Блокировка видео/Block video:

For example:
steve@steve-MMLP7AP-00 ~ $ dig youtube.com +short
142.250.187.206
steve@steve-MMLP7AP-00 ~ $ dig @8.8.8.8 youtube.com +short
142.250.187.206
steve@steve-MMLP7AP-00 ~ $ dig @172.21.16.1 youtube.com +short
142.250.187.206
If you have the override setup correctly a query to the local pfSense IP will fail.

Steve

8.8.8.8 and 172.21.16.1 are your DNS servers?

stephenw10

172.21.16.1 is my local pfSense LAN interface where Unbound is listening and responding to queries.
8.8.8.8 is Google's anycast DNS IP.

With the override in place I would expect 8.8.8.8 to return an IP address but Unbound locally to fail.

Steve