Blocking specific websites with pfBlockerNG
-
I support a company that has employees that are constantly streaming music via Spotify, Youtube, Pandora etc and I am wanting to block access to these sites because it is taking up bandwidth (we are on a 100mbps circuit). Every so often I have some employees that will stream movies on their lunch breaks via Hulu and or Netflix, I'd like to block access to those as well. Can someone point me in the right direction on how to accomplish this or provide some type of documentation? I currently just installed pfBlockerNG. Any help would be greatly appreciated - cheers!
-
There is a sub-forum here specifially for pfBlockerNG and pfBlockerNG-devel users. Here is a direct link: https://forum.netgate.com/category/62/pfblockerng.
You may get a quicker and more complete response posting directly there.
The answer to your question is that it is possible to block most of this activity (but not always 100%). At the least you can make it so hit-or-miss for the users they will likely just give up. The problem is that services like those use giant third-party CDNs (content delivery networks) to stream their service. Those CDNs are also shared by many other things you might not want to block, so you have to tread carefully. The basic process is to create a pfBlockerNG-devel alias based on the network ASN of the providers you want to block. Another method some use is the DNSBL (DNS Blacklist) feature of pfBlockerNG-devel. Examples of what other users are doing can be found in the sub-forum I posted a link to.
I do not use pfBlockerNG, so I'm not expert in setting it up. I'm just familiar with the basics at a high level.
-
@jkalber Another quick and dirty way is to set up a domain or host override in the DNS Resolver. Then anything that wants to connect to (www.)spotify.com will get the address you put in, like 127.0.0.1 or whatever. Nowadays DNS over HTTP will bypass that so also need to disable DoH.