Limit access to list off site
-
I need to set a machine to go only on a list of very stricted sites.
I can I set it in DNS? Exists a better approch?
-
@andmattia If it's a device you can do this on, you could add entries to the "hosts" file on the device, and disable/block all other DNS lookups.
Unbound has a "view" feature to control access by IP but I have not really used it so cannot help much. I do not know if it can do what you want.
-
@andmattia
One of the weaknesses of pfblocker is that its all or nothing..No granular control.
So you could create a DNSBL custom feed. Apply it. Then use the Python group to start whitelisting IPs so those IPs wouldn't be impacted by that list.
Of course, the caveat is that you do not have other lists you are using 'globally' in which case the whitelisting will be applied to them.Another less common way and I've used this in the past is using Suricata and custom rules. Suricata can read into the SNI of a TLS stream, you can write a custom rule that says 'drop this IP from going to facebook.com''
Because this is a, hopefully, one-off request than it will work but this isn't scalable and not recommended for wide scale use.