Блокировка видео/Block video
-
RU
Всем привет! Поставили мне задачу заблокировать видеопоток (САЙТ ДОСТУПЕН, А САМО ВИДЕО ВЫДАВАЛО ОШИБКУ КОГДА НАЧИНАЕТ ЗАГРУЖАТЬСЯ)!
Уже 4 дня мучаюсь и ищу решения, но все безуспешно, либо ответов нет, либо решения уже неактуальны! Т.к. это форум, попрошу более детальной инструкции! Знаю только то, что это можно совершить через Squid или PfBlockerNG, но как, не знаю!EN
Hi all! They set me the task of blocking the video stream (the SITE IS AVAILABLE, AND THE VIDEO ITSELF PROVIDED AN ERROR WHEN IT STARTED TO LOAD)!
I have been suffering for 4 days and looking for solutions, but all to no avail, either there are no answers, or the solutions are no longer relevant! Because This is a forum, I'll ask for more detailed instructions! I only know that this can be done through Squid or PfBlockerNG, but I don’t know how! -
So what are you trying to achieve? The site should not load at all?
What have you tried? What were the results?
Steve
-
@drknssc said in Блокировка видео/Block video:
I only know that this can be done through Squid or PfBlockerNG, but I don’t know how!
squid could get complicated, because the site is most likely via https.. Are you running squid?
Pfblocker could be used to block the network or the fqdn of the site, etc.
But also you could normally just get by with simple dns block of name using an alias, or simple redirect in unbound of the domain.
What specific site are you trying to block, would be easier to give you specific instructions that way.
-
@stephenw10 said in Блокировка видео/Block video:
Итак, чего вы пытаетесь достичь? Сайт вообще не должен загружаться?
Да, сайт загружаться должен. Мне надо заблокировать поток, допустим, место видео, будет ошибка!
-
@johnpoz said in Блокировка видео/Block video:
Какой конкретный сайт вы пытаетесь заблокировать, было бы проще дать вам конкретные инструкции таким образом.
Sounds silly, but first let's try YouTube :DD
-
@drknssc said in Блокировка видео/Block video:
Sounds silly, but first let's try YouTube :DD
unbound custom options box.
server: local-zone: "youtube.com" always_nxdomain
They are not going to resolve anything.youtube.com, or just youtube.com or whatever.something.otherthing.youtube.com
Youtube has a lot of domains it could be accessed from, easy enough to look them up and set unbound to not resolve them.
-
@johnpoz said in Блокировка видео/Block video:
@drknssc said in Блокировка видео/Block video:
Sounds silly, but first let's try YouTube :DD
unbound custom options box.
server: local-zone: "youtube.com" always_nxdomain
They are not going to resolve anything.youtube.com, or just youtube.com or whatever.something.otherthing.youtube.com
Youtube has a lot of domains it could be accessed from, easy enough to look them up and set unbound to not resolve them.
Where is this to be entered?
-
@drknssc in the custom box in unbound config
-
In the Resolver custom options:
-
@stephenw10 Okay, thanks a lot! Run to test! And last question :D
To block a video on Instagram, do the same with only the instagram.com domain? -
@drknssc sure this can be done with any domain. What can not be done is allow access to domain xyz.com but block say xyz.com/something
This would have to be done with a proxy - if the the goal is just preventing a client behind pfsense using pfsense as their dns from going to some domain, its a simple dns block.
No special firewall rules needed, not blocking of whole ASNs, etc. etc.
edit: pfblocker can be leveraged for all kinds of dns related stuff as well, loading domains from a public list, blocking whole domains as well, etc.
Kind of hard to load up youtube.com if they can not resolve it - problem is client browser might use doh in their browser to try and circumvent your dns. Or if the site is reachable via just IP vs some fqdn. Then you would need to block the IP or IP ranges or even the whole ASN of some company, etc. But blocking clients from using other dns is easy, blocking doh a bit harder but also can be done with known lists of doh servers, etc.
Notice the use-application-dns.net in mine - that is canary domain to tell firefox browsers not to use doh, etc.
-
Yeah that is going to block all of youtube and instagram. Blocking just the videos is far more difficult.
-
@stephenw10
Thanks for the help, but the video still plays..
I need something like this
I will wait for the response of mega people! Who can easily help me and explain how it is done!
-
The client may have cached something. Try testing in a new private window.
Or it might not be using pfSense for DNS.
-
@stephenw10 said in Блокировка видео/Block video:
Or it might not be using pfSense for DNS.
yup quite possible its using doh - the browsers love to default to using doh and bypassing your local dns.
From a cmd line do a directed query for youtube.com, or www.youtube.com using your fav client dig, nslookup, host etc..
Does it come back with IP, then your setup is wrong or your not using unbound on pfsense, or your not pointing to pfsense on that client for dns. If it comes back as nxdomain then yoru setup is right and either the client is not using you for dns, or it was cached, etc.
-
@johnpoz said in Блокировка видео/Block video:
@stephenw10 said in Блокировка видео/Block video:
Or it might not be using pfSense for DNS.
yup quite possible its using doh - the browsers love to default to using doh and bypassing your local dns.
From a cmd line do a directed query for youtube.com, or www.youtube.com using your fav client dig, nslookup, host etc..
Does it come back with IP, then your setup is wrong or your not using unbound on pfsense, or your not pointing to pfsense on that client for dns. If it comes back as nxdomain then yoru setup is right and either the client is not using you for dns, or it was cached, etc.
Hey! I'm a little dumb in this area, could you explain to me how to do this?
-
For example:
steve@steve-MMLP7AP-00 ~ $ dig youtube.com +short 142.250.187.206 steve@steve-MMLP7AP-00 ~ $ dig @8.8.8.8 youtube.com +short 142.250.187.206 steve@steve-MMLP7AP-00 ~ $ dig @172.21.16.1 youtube.com +short 142.250.187.206
If you have the override setup correctly a query to the local pfSense IP will fail.
Steve
-
@stephenw10 said in Блокировка видео/Block video:
For example:
steve@steve-MMLP7AP-00 ~ $ dig youtube.com +short 142.250.187.206 steve@steve-MMLP7AP-00 ~ $ dig @8.8.8.8 youtube.com +short 142.250.187.206 steve@steve-MMLP7AP-00 ~ $ dig @172.21.16.1 youtube.com +short 142.250.187.206
If you have the override setup correctly a query to the local pfSense IP will fail.
Steve
8.8.8.8 and 172.21.16.1 are your DNS servers?
-
172.21.16.1 is my local pfSense LAN interface where Unbound is listening and responding to queries.
8.8.8.8 is Google's anycast DNS IP.With the override in place I would expect 8.8.8.8 to return an IP address but Unbound locally to fail.
Steve