Prevent proxy / DNS filter bypass - whitelist domains
I need to limit the access of some PCs to the internet in a way that they can only access certain websites. (I think) I can't do it based on IP address since they change rather often and I'd need to whitelist probably half the cloud making the setup rather pointless. With squid I can limit access but afaik you can still bypass the proxy by connecting directly to an IP. The same is true for DNS filters.
My current setup is a pfsense router running squid and doing DNS over TLS.
Is there any way to prevent bypassing the filter? Or can pf adjust the rules so that during a dns lookup muh.cloud.com resolves to e.g. 126.96.36.199 which then gets automatically allowed?
If you are forcing all traffic through Squid/Squidguard you can block IPs in the request directly. There is an option for that.
Found it, thx.
I have a similar problem still. When I go to a website, the site itself might fetch scripts etc from other domains which would need to be whitelisted, too. Doing that manually is a hassle in particular when the external resources are fetched through muh.cloudfront.net while the other day it is meh.cloudfront.net. Can squid whitelist a whole website?