Block all website url except some whitelisted

Hi, I have a router with OpenWRT, I need to setup a network blocked with only few accessible website in whitelist. What is the best way to do that? I'm not an expert so please explain with details

I have tried this, but I can access to any domain, didn't work

Which dns backend did you use? You need to manually reference this special block list in your config! E.g. for dnsmasq (/etc/config/dhcp in 'dnsmasq' config section):

option serversfile '/tmp/adb_list.jail'

I have added the string to dnsmasq config and it works, but when I reboot the router the config delete my strings and didn't work, this is my config file before reboot

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option serversfile '/tmp/adb_list.overall'
        option serversfile '/tmp/adb_list.jail'

When reboot the last line is deleted, I try even to replace "overall" with "jail" but on reboot same problem

it was never intended to run both lists in the same dns instance. Please provide the output of

/etc/init.d/adblock status

adblock runtime information

  • adblock_status : enabled
  • adblock_version : 3.5.2
  • overall_domains : 0 (normal mode)
  • fetch_utility : /bin/uclient-fetch (-)
  • dns_backend : dnsmasq (/tmp)
  • last_rundate : 15.01.2019 10:34:23
  • system_release : GL.iNet GL-AR150, OpenWrt 18.06.1 r7258-5eb055306f

This is after reboot with only .overall file

Thanks!
As said before, adblock doesn't support both list types in the same dns instance. Therefore it might be the best way to disable adblock and maintain your 'jail' list manually. For example:

  1. disable adblock (/etc/init.d/adblock disable)
  2. create a new 'jail' list in your /etc directory (> /etc/adb_list.jail)
  3. edit this file and add the following content:
server=/google.com/#
server=/#/
  1. reference this newly created file in your dhcp config like before
  2. reboot & check ... only google.com should be available ...

Hope this helps!

@dibdot This didn't work for me.
I am not able to find anything on google search about this new config option (serversfile) in /etc/config/dhcp.
dnsmasq restart log also doesn't leave any trace about this option, whether it read the file or not etc.

Edit: probably that option serversfile is same as --servers-file. However it doesn't seem to be working. Sites which are not in this file are also accessible.

The 'serversfile' option ('servers-file' directive in dnsmasq) has been added to OpenWrt round four years ago with this commit: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=88fa9a8422a4352a34e33dc3229a561ec74e5b43

Historic releases like BB are generally out of date and no longer maintained.

What does this option do for blocking/whitelisting?
On one hand i see this file '/tmp/adb_list.overall' referenced, which contains blacklisted domains.
Then on the other hand, you are suggesting to create /tmp/adb_list.jail which is supposed to contain whitelisted domains.
Is there something in below syntax? Any help appreciated. Haven't been able to find much info on this serversfile option.
server=/google.com/#
server=/#/

Edit: I have figured this out with experiments. No further queries as of now. This approach appears to be working. Thanks @dibdot for you support.

1 Like

i want to do ip and URL whitelisting at same time.
let me explain with an example.

  1. i want to whitelist google.com and 49.35.20.84
  2. I have my syslog server hosted on Gcloud having ip this 49.35.20.84
    Problem:
    when i whitelist google i cant ping the ip 49.35.20.84. Obviously i can't reach it because i have whitelisted google.com with the above method.
    request
    @dibdot can you tell me how should i whitelist this 49.35.20.84 ip and URL at same time.
    Thanks in advace.

This thread is a year old, you may wish to create a new thread in the future.

Then simply use Adblock to whitelist it.

Adblock doesn't block IPs, so that's OK.

That's incorrect and not obvious. Connecting via IP should always work, unless you're using some other block software. In addition. whitelisting should allow access, not block it.

user@not-blocked:~$ nslookup xxxxxxwebnews.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	xxxxxxwebnews.com
Address: 78.140.190.xxx
Name:	xxxxxxwebnews.com
Address: 78.140.190.xxx
user@blocked:~$ nslookup xxxxxxwebnews.com
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find xxxxxxwebnews.com: NXDOMAIN

user@blocked:~$ ping 78.140.190.xxx -c 4
PING 78.140.190.100 (78.140.190.xxx) 56(84) bytes of data.
64 bytes from 78.140.190.xxx: icmp_seq=1 ttl=54 time=86.6 ms
64 bytes from 78.140.190.xxx: icmp_seq=2 ttl=54 time=86.2 ms
64 bytes from 78.140.190.xxx: icmp_seq=3 ttl=54 time=86.1 ms
64 bytes from 78.140.190.xxx: icmp_seq=4 ttl=54 time=86.6 ms

--- 78.140.190.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 86.117/86.418/86.693/0.320 ms

(xxxxxx == pushed)

Hi where do you specify this option in adblock like @vgaetera mentioned
" there's already an option in adblock for such restrictive "whitelist only" mode: [adblock_jail]"

I'm on Adblock Version 3.8.15 & OpenWrt 19.07.1 r10911-c155900f66 / LuCI openwrt-19.07 branch git-20.029.45734-adbbd5c. I can't seem to find this option?

thanks

Did you click Advanced?

Yes I did, unless not understanding, this whitelist are for exceptions to the default /tmp/adb_list.overall. But how do you enable the /tmp/adb_list.jail in this version for restrictive whitelist only mode?

Hi, sorry to hijack this thread. This feature has been removed a while ago ... you can simply do it yourself, check this post: Block all website url except some whitelisted here in this thread.

thanks @dibdot , so what you're saying is that there is no luci gui to input the whitelist anymore and you have to manually edit the adb_list.jail file?

Well, no one has asked for it for a long time, therefore I've removed this ... of course I can re-add this to adblock 4 again.

fyi, adblock 4pre4 now includes jail list creation again (Adblock 4 pre-releases).

2 Likes