How to block particular Web sites

How do I configure an OpenWrt router to block a particular Web site?

I am looking for the equivalent of entering a line like

127.0.0.1 mediacategory.com

into a Windows computer's hostfile. I believe the general strategy is to frustrate the DNS query.

I'd like to know

  • which config file (e.g. /etc/config/network) to edit and the exact block of lines to add (just the minimum lines)
  • any way to do it on LuCI.

I saw these earlier posts, but found them confusing.

Blocking websites on your router
Need help to block certain websites

In /etc/config/dhcp in section config dnsmasq insert the following:

list address '/mediacategory.com/127.0.0.1'

LuCI/Network/DHCP and DNS/General Settings

image

2 Likes

Thank you so much!

Do you happen to know whether so listing mediacategory.com would also block these?

Yes all subdomains also will be blocked.

1 Like

Better use the server option that applies to both IPv4 and IPv6 returning the proper NXDOMAIN reply from the DNS server:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dns_filtering

2 Likes

Thank you! That page is filled with goodies.

But what do those uci commands translate to in term of edits to a config file? Or at least which is the config in question (so I can issue the uci commands and see their effect)?

/etc/init.d/dnsmasq does not look like something I should mess with.

In general, I wish OpenWrt documentation, on providing uci commands guidance, would at least say which config files are being so edited.

1 Like

To see the results of the commands, you can navigate here:

  • LuCI > Network > DHCP and DNS > General Settings > DNS forwardings
1 Like

Thank you again. Then in terms of config files, I'd be looking at /etc/config/dhcp? (Because pavelgl's answer also connects /etc/config/dhcp with the same LuCI item.)

1 Like

Yep, you should find some spare time to read about UCI to understand it better:
https://openwrt.org/docs/guide-user/base-system/uci

This is one of the essential parts of OpenWrt and many tutorials heavily rely on it.

1 Like

Yes. I was thinking to myself I would need uci commands if one day I am to automate into scripts any of this extensive setup process. I couldn't automate my finding the right config, opening it, looking it over, etc.

1 Like

I found these results:

  • If I enter into LuCI /mediacategory2.com/127.0.0.1, the config receives (shows) list server '/mediacategory2.com/127.0.0.1'.
  • If I enter into config list server /mediacategory3.com/127.0.0.1 in config, LuCI receives /mediacategory3.com/127.0.0.1.
  • If I enter into config list address /mediacategory4.com/127.0.0.1, LuCI does not show it that at all.

I have not yet test whether config's list address /mediacategory4.com/127.0.0.1 does what it's supposed to do (block the site) regardless of correlation with LuCI.

Anyway, perhaps list address is deprecated since you last used it insofar as correlation with LuCI goes?

On running the "blacklist" items ending with a restart, I got this output:

root@OpenWrt:/# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
root@OpenWrt/# 

See "failing" toward the end. The blocking however worked as intended.

Should I understand the "failing" as a reference to a failed dns query, i.e. just the thing I wanted?

Or was that some other failing that was going to give me grief later on?

It should fail, that's the whole point of testing for another rogue(?) DHCP server on the network (there must never be more than one (aside from very special, fine-tuned exterprise setups) DHCPd on a physical network, therefore dnsmasq checks before starting up if there already is a(nother) DHCPd running in this network segment and refuses to start up, if there is (unless explicitly forced to ignore that)).

2 Likes

Oh great. I think you are telling me

  • it is not a failure of dns query, but some other failure (viz. of search for a competing dhcp server)
  • the fail is what I want and will not give me grief.

Thanks.

1 Like

You are mixing options "address" and "server".
If you prefer the vgaetera's solution, do not put any IP address after the domain name.

list address '/mediacategory.com/127.0.0.1
list address '/mediacategory2.com/127.0.0.1'
list address '/mediacategory3.com/127.0.0.1'
list address '/mediacategory4.com/127.0.0.1'
list address '/mediacategory5.com/127.0.0.1'
list server '/mediacategory6.com/'
list server '/mediacategory7.com/'
list server '/mediacategory8.com/'
list server '/mediacategory9.com/'
list server '/mediacategory10.com/'

image

2 Likes

Thank you for your further input.

I cannot duplicate your results. I have entered, per your instructions, this line into /etc/config/dhcp (and did the "restart").

        list address '/mediacategory5.com/127.0.0.1'

My result is that I don't get an "Addresses" popup in LuCI at all (like the one in your picture). Thus, no question of "5" showing up there or not.

I could not follow your instructions on using LuCI (for entering hosts) because, again, the "Addresses" popup is not there.

My earlier reply to you was about entering "/mediacategory2.com/127.0.0.1" into LuCI's "DNS forwardings" popup, which is indeed mixing up your instructions with vgaetera's. Sorry about that.

I am using a release 19.07.8 for "ath79". I believe the release simply does not give me "Addresses."

Ok, now I see the confusion. I made the tests with release 21.02. I have another device with release 19.07.8 installed and the corresponding field in LuCI is missing. However the option is available and it works as expected. You could try UCI:

uci add_list dhcp.@dnsmasq[0].address="/mediacategory.com/127.0.0.1"
uci add_list dhcp.@dnsmasq[0].address="/mediacategory2.com/127.0.0.1"
uci add_list dhcp.@dnsmasq[0].address="/mediacategory3.com/127.0.0.1"
uci commit dhcp
/etc/init.d/dnsmasq restart

and then check the result:

uci show dhcp.@dnsmasq[0].address

Anyway, the “address” option makes the DNS server to return a specific manually entered IP address, corresponding to the domain name (like in the hosts file as you initially asked). The “server” option forwards the request regarding to that domain name to an external DNS server. If the IP address of the external DNS server is not specified, then the request is dropped with a message, that the domain name cannot be found. So, use the “server” option, which as I see is available in LuCI in release 19.07.8. The other advantage of the "server" option (as was mentioned by vgaetera) is that it will drop also the ipv6 requests.

#address option
root@OpenWrt:~# nslookup mediacategory.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      mediacategory.com
Address 1: 127.0.0.1
*** Can't find mediacategory.com: No answer <--IPv6

#server option
root@OpenWrt:~# nslookup mediacategory4.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find mediacategory4.com: NXDOMAIN
** server can't find mediacategory4.com: NXDOMAIN
2 Likes

Great! Thanks again. I am selecting your second to last entry as "solution," for its conspicuous display of the differences between the two approaches.

These exchanges also solved for me the mystery of 19.07.8. I thought 19 could not be the year because it's 21 now. I never suspected that development could have stopped for my model of router!

1 Like

As a general point, this is close to the various ad-blocking solutions that exist, available openwrt utilities such as "adblock" or external DNS servers such as "pi-hole". These trade effort in setting up for more flexible control. Some browsers have built-in adblocking, but that can't handle this problem.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.