Many sites out there use virtual servers that just have a single IP address. These use the SNI extension which passes the URL in cleartext. A router CAN block those.
But others do not use SNI. These do not pass the URL in clear text they start encryption immediately. The router cannot peek inside an encrypted connection (because it's encrypted, dummy!) to decide if that https URL is OK or not.
As a result you cannot know just by looking at the DNS name if its an https URL that you could even detect to be able to block. Maybe it is going to a non-SNI host with a 1-to-1 match between an IP and a URL/domain name and you can block that IP address. Or maybe it's going to the same virtual IP that your favorite p0rn site is using and there's no way you would be willing to block it.
You can only block by 2 things - IP address (which could trash your p0rn site) or port 443 which will block all https sites.
In other words - https blocking isn't possible because it's not logical, there's no way to implement it on a router and have it work without jiggering around with the certs on every client involved.
toastman has it because either he's willing to accept that it just doesn't work half the time or he's an idiot and is assuming https is old school one-to-one mapping from https URL to IP address. Since most users don't understand networking they think it's working when it isn't and are blissfully unaware - until it breaks something.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Mon Jan 22, 2018 7:46 Post subject: Re: Why doesn't DD-WRT block https ??
CantRepeat wrote:
When I was using toastman's tomato firmware you could block https access by simply adding it to a restriction.
IE: add these two urls. By default toastman blocked https
mesu.apple.com
appldnld.apple.com
Can this be added? I know it's been asked for a few times in the past.
Should this be added to a ticket?
ok https blocking its not working as intended but you have chance...
1. one way is to block addresses via additional DNSmasq options
example:
address=/online-metrix.net/0.0.0.0
2. another way is via iptables rules you can block ip or even source of ips just add those rules to commands and save firewall, you have to find and define witch ip you want to block you can find web sites corresponding IP's here
https://centralops.net/co/
example:
iptables -I FORWARD -s 52.84.0.0/14 -j DROP
iptables -I FORWARD -d 52.84.0.0/14 -j DROP _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
toastman has it because either he's willing to accept that it just doesn't work half the time or he's an idiot and is assuming https is old school one-to-one mapping from https URL to IP address. Since most users don't understand networking they think it's working when it isn't and are blissfully unaware - until it breaks something.
I'm not sure why you would revert to name calling.
I don't claim to know how toastman's blocking works but it did.
Even if it was just a simple implementation it did block apples https sites just fine. It blocked everything from apple with just these two addresses.
I tried blocking a bunch of apples IPs using the IP table rules, it was near 20 ips and it still would not block the iOS updates or iTunes updates for that matter.
Then start stacking on all the aliases and you end up with near 50 IPs.
I'm not trying to be rude to anyone involved, BS and fellow users alike.
Even if just a simple implementation is added with a note about effectiveness that would be great. _________________ -Tim
