Blocking social media sites

  • Hi what is the best practice for blocking social media site, specifically facebook. I have a client that wants to block 10 out of there 30 PC's currently setup with dynamic IP.
    And what packages should I use. The reading I've done says squid and squidguard.

    I tried dansguard but no luck. I have tried squidguard and was able to block everything I wanted except for Facebook. via host name and all 50 IP's. also tried Shalla's Blacklists but still didn't block Facebook.

  • For blocking HTTPS traffic ( Facebook, Youtube… ) with SquidGuard you need to use wpad, (if you can).

    Without any package involved have a look if you can use OpenDNS as DNS servers for that PCs ... ( maybe you will still want to identify the PC you want to filter, by fixed IP or by IP range allocated to them and set firewall rules so it will not escape from OpenDNS )

    You can also try to use pfBlockerNG DNS blocker but by default will filter for all PC so you will need to set the rest of PC to use another DNS servers.

  • LAYER 8 Global Moderator

    if you don't want to use the pfblocker or opendns a simple config in unbound can prevent resolving of domains.. If just a few you can just put in the advanced section a redirect for the domain and then

    something like for example

    local-zone: "" redirect
    local-data: " A"

  • @johnpoz thank you posting this method.
    Can you please let me know if in some setup Unbound has to be set to forwarder this method will still work ?

  • LAYER 8 Global Moderator

    It should work in both forwarder and resolver mode I use resolver mode.. The data is local to unbound, just like an host override - but this allows for wildcarding of anything in that domain..

    Here I just added in my above example.. And as you see returns

    I use this method in blocking ad domains, but I load it from a file vs putting everything in advanced box

    include: /etc/unbound_ad_servers

    This is pretty much what the pfblock dnl option is doing but they are returning an IP that is running a httpd that returns a 1x1 image for anything you request I believe..  This is just simpler to do and don't have to install that pfblocker package.  You could for sure redirect it something that serves up something vs just loopback address.

  • ok, thank you.

    I asked because I made a test:
    with Unbound set as Resolver with OpenDNS and only for some IPs port 53 redirected to use DNS forwarder on 8053 localhost with google DNS servers;
    and at some point I found that filtered domains from OpenDNS was not filtered any more for any IP so I had to set Unbound to forwarder to work again…

    I think somehow Unbound as resolver cached filtered domains from DNS Forwarder, google answer for unfiltered IP.

  • LAYER 8 Global Moderator

    You don't seem to understand the difference between a forwarder and a resolver..  If unbound set to resolver which is default – nothing would ever talk to opendns..  Resolver means that, it resolver down from root talking to the authoritative servers down the tree from root to the owning nameserver of the domain your doing a query for a record in.

    Sounds like you have a really convoluted mess..  If want to forward then forward, if you want to resolve then resolve.  Why you would point clients to anything other than your dns is making it complicated.  If you don't want things to resolve then setup your dns so those domains or fqdn don't resolve or return false info like the example.

    Only time I don't point to my dns is my guest wifi clients - they have no need to resolve any of my local stuff, I don't really care what they go to or or do.. They are isolated from my network, I just let them have internet.  So they get handed public dns, and can not even query or talk to pfsense other than ping the guest wifi IP so they can validate connectivity.

  • My "setup mess" is try to do same like your goal, but in my case I permit only to some IPs from 4 different LANs to use another unfiltered DNS servers, all other use OpenDNS servers defined in pfsense.

    So this seems to be my mistake… I had the impression that resolver will only talk with DNS servers I defined in pfsense setup to resolve the request in my case OpenDNS servers and nothing more.

    Thx for clarification.

  • LAYER 8 Global Moderator

    If you want these 4 lans to use some other dns, then point them there via dhcp.  And in those lan rules block access to pfsense dns..

    Guess you could run forwarder for them on different which seems like what you trying to do?  But that makes it difficult.. Just point them to say you isp dns on those lans dhcp and allow that out.. Here is my wifi guest rules

    They can ping pfsense wlan guest IP, then they are blocked from talking to any interface on pfsense, and then they are allowed to go to whatever they want as long as not any of my local networks.  While the allow ! my local networks would normally keep them from talking to pfsense, they would still be able to talk to pfsense wan IP, etc.  So that block is easy way to make sure they can not talk to pfsense at all.

  • Here I described already my filtering goal I try to achieve in my "setup mess" with DNS filtering:

    At this moment it work - with only limitation that excepted IP's from pfsense/OpenDNS filtering will escape also from pfblocker DNSBL ( Unbound ) Ads filtering, yes I understand why:
    I run:
    OpenDSN as only DNS servers definded in pfsense setup ( for parental filtering… ) .
    pfBlockerNG DNSBL to filter DNS Ads...
    Firewall rules to prevent other than excepted IPs to escape from pfsense/OpenDNS.

    DNS request is handled by:
    Forwarder on 8053 only for some excepted IP's assigned from 4 LANs -> google DNS ( to escape pfsense/OpenDNS filtering )
    Unbound as forwarder on 53 on all 4 LANs ->  pfsense/OpenDNS

    _I prefer not to use DHCP & DNS servers define method because:

    • for all clients DNS server apear to be the same, for all LANs.
    • if I want to change, add/del excepted IPs - ( I only have to add once in an alias).
    • if I want to disable/change this non filtering DNS servers it is much easy to change/disable only one NAT redirect DNS rules than edit DHCP / IP config for each excepted IP._

  • LAYER 8 Global Moderator

    Well have fun then..  Seems like lot of work for something that can be accomplished just letting those segments outbound to use public dns..

Log in to reply