Hi frollic
My Topology is as follows
{Internet}-----------(WAN)[AP]---------(WiFi)------------[Mobile-phone]
parental control appears to block web access at some schedule time.
but my requirement is to block certain website in Mobile-phone, connected via our Access point.
is "AP" used as a router ?
Are you happy with a 6,5 year old and insecure operating system?
Hi frollic,
yeah i know, but switching would be costly job for now.
I am looking for some alternatives to support URL filtering in this version only.
please suggest.
then dnsmasq should work just fine, as long as you do what you've been told here
DNS level blocking need much less resources than URL analyzing.
banIP could be useful too, for stopping DoH requests going out.
BB is so old that a lot of packages cant be installed. Just update.
you should really un-focus on URL filtering.
Difficult (maybe impossible?) nowadays, because most sites use HTTPS so the router never gets to see the full URL, only the IP (and hostname if your router is the DNS server). If you want to block URLs you'll probably need something at the browser level.
I use this option in dnsmasq.conf to completely block youtube (NXDOMAIN is returned for the listed domains and their subdomains):
# Block Youtube
address=/youtube.com/youtu.be/youtubei.googleapis.com/youtube.googleapis.com/www.youtube-nocookie.com/googlevideo.com/ytimg.com/youtube-ui.l.google.com/ytimg.l.google.com/ytstatic.l.google.com/youtubei.googleapis.com/
However, I think this requires two dnsmasq instances (one for kids' devices, one for everything else) if you want to apply this rule only to kids' devices. That's how I have it set up anyway - I have another dnsmasq instance running on a different AP, with the above rule in its dnsmasq.conf file, and I give the address of that DNS server to my kids devices, like this:
# Devices use the local DNS server (192.168.1.1) by default
# This uses OpenDNS upstream servers which are set up to filter porn, malware, gore sites etc.
# Kids devices use 192.168.1.2
dhcp-mac=set:kidsdevice,XX:XX:XX:XX:XX:XX # Kids device 1
dhcp-mac=set:kidsdevice,XX:XX:XX:XX:XX:XX # Kids device 2
dhcp-mac=set:kidsdevice,XX:XX:XX:XX:XX:XX # Kids device 3
dhcp-option=tag:kidsdevice,option:dns-server,192.168.1.2
# Devices with completely unrestricted DNS (1.1.1.1)
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 1
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 2
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 3
dhcp-option=tag:unrestrict,option:dns-server,1.1.1.1,1.0.0.1
I also have a script that pulls a list of DoH servers from here and adds them to an ipset, running every night to keep the list up to date. I then have a firewall rule that blocks any traffic to those IPs, and another rule that redirects all forwarded traffic on port 53 to the local DNS server (except for the totally unrestricted devices).
I'm sure a time will come when the kids work out how to get around all of this, but it's good enough to stop them accidentally stumbling upon most bad stuff. I figure that once they're actively looking for porn it's going to be very difficult to stop them anyway.
Hi tievolu,
Just clicked an idea!!
Can we just do likewise:
I mean, block everything except "forum.openwrt.org". This kind of approach.
In this way, we can have permitted list to website for kids. Any suggestions on HowTo do so.
Thanks in Advance
Yes, you can do that in dnsmasq.conf, like this:
# Whitelisted domains, which will be looked up using upstream server 1.1.1.1
server=/forum.openwrt.org/1.1.1.1
server=/example.whitelisted.domain/1.1.1.1
server=/another.whitelisted.domain/1.1.1.1
# Block all other domains (i.e. return NXDOMAIN)
address=/#/
You will still need two dnsmasq instances though I think.
The man page for dnsmasq is here btw.
You might be able to set up a virtual SSID on a separate VLAN, just for the kids devices, and use a separate dnsmasq instance for that VLAN. That isn't something I've tried myself though.
if you're only blocking some devices, and don't have an adblocker set up, you can simply pass all "permitted" clients to a down stream DNS, while you announce your internal DNS to those two should
be stopped/restricted.
Yes, you're right 
. I was still thinking of my case where I want three levels of filtering (no filtering, OpenDNS filtering, and OpenDNS+YouTube)
So a setup with two classes -- unrestricted DNS or whitelisted DNS -- would look something like this:
# Setup DNSMasq in LuCI to send the local DNS server to DHCP clients by default
# Devices with unrestricted DNS (1.1.1.1)
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 1
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 2
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 3
dhcp-option=tag:unrestrict,option:dns-server,1.1.1.1,1.0.0.1
# Local DNS server: Whitelisted domains, which will be looked up using upstream server 1.1.1.1
server=/forum.openwrt.org/1.1.1.1
server=/example.whitelisted.domain/1.1.1.1
server=/another.whitelisted.domain/1.1.1.1
# Local DNS server: Block all other domains (i.e. return NXDOMAIN)
address=/#/
do note that DNS-based restrictions like that can be easily avoided by client devices if they set up a custom DNS server like 8.8.8.8, or if they use modern browsers like Firefox that is using by default DNS-over-https (and contacting its own dns server ignoring whatever is set by system), I don't know if Chrome has this enabled by default or not.
Also proxies and VPNs will bypass this easily. For example there are hundreds of Youtube proxies (it is a website that redirects to youtube).
So yeah, it might stop old people or very young kids but it won't stop a teenager or an adult that can just google a bit, and as the other guy said above you need to disable a bunch of IPs to block traffic that wants to go to other DNS and DNS-over-https, because that is a much more common thing for applications than in the past
I mean, OK, try with this first, but don't be surprised if after a year you will need to update to a more serious firewall device that can actually do more than basic IP and DNS blocking.
Looks like you just googled yourself a bit, only. DNS (53) to be redirected to filtered DNS will take care of 8.8.8.8 or any other standard DNS server. DoH to well-known servers, i.e. 1.1.1.1, can be disabled using firewall, or using some browser specific DNS-setup. Only bypass here would be a private DoH-server, but that is not to be done by "teenager or adult, who can just googe a bit". VPNs can be blocked, too, more or less.
https-based proxies are a different story, though.
Not at all. Did you miss what I said?
you need to disable a bunch of IPs to block traffic that wants to go to other DNS and DNS-over-https, because that is a much more common thing for applications than in the past
Also do you have a list to all youtube or whatever proxies, updated? Because guess what happens when you search "youtube proxy" of "facebook proxy" on google.
I guess you need to add a ton of IPs to that blacklist or switch to a whitelist that will most likely suck and make the users hate you and just go try get their internet from somewhere else entirely.
There are literally countless tutorials to sidestep these limitations https://www.howtogeek.com/167418/5-ways-to-bypass-internet-censorship-and-filtering/
If you want to stop someone that can use a VPN (and FYI there are A LOT of ads for VPNs nowadays in both youtube and other media, cheap and easy to use), DNS blocking is a waste of time.
VPNs don't need to use DNS ( in many times the server IPs are hard-coded in the config) and can choose multiple protocols over different non-standard ports. So even more IPs to add ot your blacklist and keep updated.
All this on the client side is automated, the user does not need to know much. Using a VPN is easy for everyone.
I'm not saying to not do this and accept defeat, I'm just saying don't expect this to stop anyone that is actually trying to bypass it.
DNS-blocking in 21st century is a network equivalent of a garden fence.
No.
First: REDIR port 53 to filtering DNS makes IP blockage for DNS-servers obsolete.
Second: There are DNS-based methods to disable usage of DoH in browsers, at least.
So you are less than 50% correct on your mentioned statements.
Regarding VPNs, blockage based on dest ports, which are usually not equal 80/443.
You even wrote yourself.
Of course, IP-based blocks enhance both methods from above.
It will not block everyone. But the "teenager or adult, who can just google a bit", definitely.
BTW: To gain access to "proxysite.com", DNS is to be used first. Which is blocked, of course.
Last not least, it is not a big deal, to handle a large, IP-based blocklist for well-known VPNs and Proxies. Will give every user a hard time to find a hole.
From the link, you gave, only "TOR" is a real challenge, thats correct. But its not an option for permanent usage, anyway. Give it a try yourself 
Just out of interest, can you elaborate on that? My conclusion from all the info I found was that DoH can only be blocked with firewall rules.
EDIT: I assume you're referring to this: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet