hi. the local school has an OpenWRT router in the classroom. their request is to block everything and have access only to 5 pages, that their IP change frequently.
is this possible? if yes, how?
forward the requests for those 5 names/FQDNs to the upstream router.
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#selective_dns_forwarding
1 Like
ok the 5 domains will be whitelisted. how do i block everything else?
you can probably use /#/0.0.0.0 for the rest, if not, just use a bogus IP for the upstream DNS.
That would mean DNS based blocking, right? How do you deal with DNS requests from the clients not directed to the openwrt router? Or with DoH/DoT?
yes, it could be bypassed by using IPs only, unless the sites in OP's case are all local, then internet access could be blocked completely.
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
Okay, possible. It seems to be the most generic solution. (I would tunnel it via ssh or tor browser 
)
The question is, how much control do we have about the clients? If they are classic stationary PCs, we could force them to use a proxy, running on the router and block everything else. If they are smartphones and tablets of the people there, this is theoretically possible, but not practical.
sure, if clients aren't air gapped.
there's redsocks,
you can block external DNSes, DoT and DoH, etc.
if users got phones, they can always share internet via wifi to any client, assuming the clients got wifi, or use USB tethering.
the clients have their settings locked to get DHCP and DNS from the router.