Prevent proxy / DNS filter bypass - whitelist domains



  • Hi,

    I need to limit the access of some PCs to the internet in a way that they can only access certain websites. (I think) I can't do it based on IP address since they change rather often and I'd need to whitelist probably half the cloud making the setup rather pointless. With squid I can limit access but afaik you can still bypass the proxy by connecting directly to an IP. The same is true for DNS filters.
    My current setup is a pfsense router running squid and doing DNS over TLS.
    Is there any way to prevent bypassing the filter? Or can pf adjust the rules so that during a dns lookup muh.cloud.com resolves to e.g. 6.6.6.6 which then gets automatically allowed?


  • Netgate Administrator

    If you are forcing all traffic through Squid/Squidguard you can block IPs in the request directly. There is an option for that.

    Steve



  • Found it, thx.
    I have a similar problem still. When I go to a website, the site itself might fetch scripts etc from other domains which would need to be whitelisted, too. Doing that manually is a hassle in particular when the external resources are fetched through muh.cloudfront.net while the other day it is meh.cloudfront.net. Can squid whitelist a whole website?


Log in to reply