Block website



  • Hello!

    How do i block specific websites without connecting to a proxy? I really need this. I would also want to add my own custom page, that says "This website has been blocked" or something. Is it possible to run Squid or something without needed to configure it on Chrome? So people will be connected to that Squid thing when they connect to the network. I'm new to Pfesense.

    Best Regards,
    Frozity


  • Banned

    Do a host override in DNS forwarder/resolver and set up a webserver with "This website has been blocked" or something on that IP.



  • @doktornotor:

    Do a host override in DNS forwarder/resolver and set up a webserver with "This website has been blocked" or something on that IP.

    Thanks, can you please explain a little better?

    And Is it possible to run Squid or something without needed to configure it on Chrome? So people will be connected to that Squid thing when they connect to the network. I'm new to Pfesense.


  • Banned

    What do you need to explain about adding a host override in the GUI? Services - DNS Forwarder/Resolver.

    P.S. No advise regarding Squid. Yuck!



  • @doktornotor:

    What do you need to explain about adding a host override in the GUI? Services - DNS Forwarder/Resolver.

    P.S. No advise regarding Squid. Yuck!

    I just don't understand it.



  • In DNS Forwarder (or DNSResolver, whichever you are using) there is a Host Overrides section.
    Normally that is used to add some host name to IP address mappings for names that you want to be available but are not normal public names, or are your own internal web servers or…

    But you can use it to override the normal public resolution of a name. e.g. make facebook.com be 10.11.12.13

    1. If you just want to leave users in the dark with timeouts, you can put a Host Override that points to some IP address on your LAN that does not exist. or;

    2. If you want to be nicer, point to something that has a web server running that can display some message about "You cannot get to the real Facebook from this network". or;

    3. Add a domain override for facebook.com with IP address "!" - that tells DNS Forwarder not to forward requests for that name anywhere. It will only look in the local hosts file (which does not have facebook.com in it). This method will quickly return NXDOMAIN to the user, so they quickly get a "server not found" type of error in their browser.



  • Wouldn't Dansguardian package serve this purpose more properly?


  • Banned

    @JaredZen:

    Wouldn't Dansguardian package serve this purpose more properly?

    "How do i block specific websites without connecting to a proxy?"



  • AHHH Thanks. Totally missed that when I read the OP post. I guess the mention of squid made me overlook that point



  • I'm very confused, I have a webserver running on 192.168.1.6.

    How do i do this, I tried this but it didn't work at all:
    http://i.gyazo.com/d08c5eab584c9146d04e776a0bf9aab8.png



  • What you've done is created a DNS override so that if anyone tries to go to myhost.facebook.com, it will redirect to 19.168.1.6.  This is probably not what you want.  If I remember, you can leave the Host section blank and it will match anything that ends in facebook.com.



  • The entry you've made where you've put 'myhost' means that the override will work when you try to visit 'myhost.facebook.com'. If you want it to resolve to 'www.facebook.com' enter 'www' in the Host field. Otherwise do as KOM suggests.



  • @doktornotor:

    @JaredZen:

    Wouldn't Dansguardian package serve this purpose more properly?

    "How do i block specific websites without connecting to a proxy?"

    Sure but acknowledging that such control is, most of the time, achieved using proxy, it might be interesting to understand why Frozity tries to achieve it "not using a proxy"  ;)

    My understanding, reading carefully his first post, is that

    "not using a proxy"

    is triggered by the second part of this first post, i.e.

    "Is it possible to run Squid or something without needed to configure it on Chrome? So people will be connected to that Squid thing when they connect to the network"

    Keeping this in mind, answer based on either WPAD or transparent proxy makes sense isn't it?
    Well, I would not suggest transparent proxy but WPAD fits, IMHO  8)



  • From my standpoint, if you want successful "DNS based" implementation, be sure you block DNS flow through your firewall otherwise clever user will bypass your control relying on external DNS  ;)
    Last but not least, even with internal DNS "only", accessing forbidden web site typing IP address can't be block using DNS (while proxy can achieve it  8))

    Are you still convinced you do want to achieve it without proxy  ???



  • Last but not least, even with internal DNS "only", accessing forbidden web site typing IP address can't be block using DNS (while proxy can achieve it  8))

    These days most complex web sites (like the ones wanting to be blocked here) use many different names/IP addresses to serve up various components of the site. If you learn the (an) IP address of the site then sure, you can go to it and get some basic page. But a bunch of content will be referenced by other names and if resolution of those is diverted by host/domain overrides then the user effectively has a very difficult time making any use of the site.
    So a DNS-only blocking strategy can still be practically effective.



  • @muswellhillbilly:

    The entry you've made where you've put 'myhost' means that the override will work when you try to visit 'myhost.facebook.com'. If you want it to resolve to 'www.facebook.com' enter 'www' in the Host field. Otherwise do as KOM suggests.

    I tried this, but it doesent block the frontpage. But everything else gets blocked. I'm very confused.



  • I tried this

    You tried what?  Using www or leaving it blank?



  • @KOM:

    I tried this

    You tried what?  Using www or leaving it blank?

    Leaving it blank didn't do anything.


  • Banned



  • @doktornotor:

    https://forum.pfsense.org/index.php?topic=43835.0

    So i added  "address=/dev/192.168.1.6" and nothing changed.


  • Banned

    @Frozity:

    So i added  "address=/dev/192.168.1.6" and nothing changed.

    Please, try using brain. Go re-read the post a couple of times.



  • @doktornotor:

    @Frozity:

    So i added  "address=/dev/192.168.1.6" and nothing changed.

    Please, try using brain. Go re-read the post a couple of times.

    Please, be nice. This doesen't make sense for me.

    I'm trying to block this website: vg.no


  • Banned

    Then why on earth are you sticking dev there, instread of vg.no?!?!



  • @doktornotor:

    Then why on earth are you sticking dev there, instread of vg.no?!?!

    address=/vg.no/192.168.1.6

    It still doesen't block the frontpage, but when i click on read article etc it gets blocked.


  • Banned

    Nothing happened is worthless problem description. (BTW, the DNS results are cached, you need to flush the cache. Reboot the boxes you are testing this from if you don't know how.)



  • @doktornotor:

    Nothing happened is worthless problem description. (BTW, the DNS results are cached, you need to flush the cache. Reboot the boxes you are testing this from if you don't know how.)

    Thank you for the help!


  • LAYER 8 Global Moderator

    there are really very few websites that would even load a basic page on ip, since most everything is CDN and requires the host headers to know what to serve (multiple pages on same IP)..

    You could always validate this with what site your looking to block by going to the IP yourself and seeing what content is provided.


Log in to reply