Posted: Tue Oct 16, 2018 21:01 Post subject: DNSMasq - Block sites - HowTo
Hi all,
I need to configure the accesses of a station (PC-Windows) to meet the following rules:
1. completely free only three sites for external access;
2. block external access to all sites;
3. block all HTTPS sites;
To do general blocking of the main HTTPS sites, I use DNSMasq, which points the URLs of the domains to the IP: 127.0.0.1
ex: address = / facebook.com / 127.0.0.1
address = / instagram.com / 127.0.0.1
Using DNSMasq is there any way to block all sites and only release the three that I need?
If it is not possible, how to combine the DNSMasq rules with the IPtables rules to make these locks.
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Tue Oct 16, 2018 21:46 Post subject:
this is dns blocking not total site blocking, but it works for novice users and good for ad/tracking blocking. if ur going to use this, make sure to force the dns setting on main setup page.
dont use 127.0.0.1, use 0.0.0.0 (and :: for ipv6) but best is just / so "address=/google.com/" for NXDOMAIN, and one entry covers both ipv4 and ipv6, = less than half the total file size.
using it in dnsmasq config uses nvram space, it wont last long, so stick it in a .txt file, name it something simple with no spaces like adblock.txt, put it in /jffs or on a usb (if usb works properly in ddwrt yet). once loaded it sits in ram.
address=/com/ should block all .com sites
server=/google.com/# would override that only for x.google.com while remaining .com are all blocked _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Using DNSMasq to return a false IP address for a dns lookup does not block a site. You can still accesses it using its IP address or by using a hosts file.
To block sites you need to use iptables firewall rules. You need one accept rule for each of the three addresses that you want to permit access, then a rule to reject traffic to all other addresses.
Thanks, I made an iptables command group, but sites that change the IP and uses https, like facebook, it's very difficult to make a specific iptables rules.
Another point is that I need to make a selective block, each station need different block rules.
this is dns blocking not total site blocking, but it works for novice users and good for ad/tracking blocking. if ur going to use this, make sure to force the dns setting on main setup page.
dont use 127.0.0.1, use 0.0.0.0 (and :: for ipv6) but best is just / so "address=/google.com/" for NXDOMAIN, and one entry covers both ipv4 and ipv6, = less than half the total file size.
using it in dnsmasq config uses nvram space, it wont last long, so stick it in a .txt file, name it something simple with no spaces like adblock.txt, put it in /jffs or on a usb (if usb works properly in ddwrt yet). once loaded it sits in ram.
address=/com/ should block all .com sites
server=/google.com/# would override that only for x.google.com while remaining .com are all blocked
tatsuya46,
I need to make a selective block, each station need different block rules. It's possible apply these instructions to a specific station?
Hi , First, It was shown what happend our client connects to a "good" DHCP+DNS server, and then tries to reach an external website. Open three terminal windows. I use also web proxy service for searthing anounimus and don't have to worry about speed and pravacy .