URL-filter for OpenWrt Barrier Breaker

Hi folks,

i am trying to block certain website to be accessed via my Access Point.
I have tried with following methods:

  1. iptables
  2. using /etc/dnsmasq.conf
  3. using /etc/hosts
  4. using some .ipk packages

but not getting any success, following POC i have done till date

  1. websites blocked for connected computer client is "facebook.com" but for mobile user it's m.facebook.com.
  2. Some websites like "youtube.com" etc have dynamic IP, they keep on changing their IP. so unable to block website based on it's URL.

what's the client ?

some clients/browsers have DoH enabled, some apps use hardcoded DNSes, like 8.8.8.8.

I've never tried blocking FB, but YT works just fine, as long as your clients actually use your DNS.

https://support.google.com/a/answer/6214622?hl=en#zippy=%2Coption-dns

catch (or block, but it might break apps) and redirect all outgoing DNS requests in your FW
block or disable DoH/DoT, in browser and on device.

https://learn.akamai.com/en-us/webhelp/enterprise-threat-protector/etp-client-configuration-guide/GUID-04D2A852-CB51-4210-9CE3-7F6ABB3B84E2.html
https://www.techrepublic.com/article/how-to-enable-dns-over-tls-in-android-pie/ (for android)

1 Like

Hi frollic
The idea is to provide parental control by doing blacklisting of website URLs.

  • can you guide me with HOWTO

  • can you guide me with any .ipk package, (if any) available for doing so.

Thanks in advance

no,

because you haven't told us anything about your setup ...

you have an openwrt AP, but that's hardly it.

And why URLs ? not only DNS names ?

this might be useful too Functionality of "Parental Control" on OpenWrt

Hi frollic

My Topology is as follows

{Internet}-----------(WAN)[AP]---------(WiFi)------------[Mobile-phone]

parental control appears to block web access at some schedule time.
but my requirement is to block certain website in Mobile-phone, connected via our Access point.

is "AP" used as a router ?

Hi frollic

yes, exactly

Are you happy with a 6,5 year old and insecure operating system?

2 Likes

Hi frollic,

yeah i know, but switching would be costly job for now.

I am looking for some alternatives to support URL filtering in this version only.

please suggest.

then dnsmasq should work just fine, as long as you do what you've been told here

DNS level blocking need much less resources than URL analyzing.

banIP could be useful too, for stopping DoH requests going out.

BB is so old that a lot of packages cant be installed. Just update.

1 Like

Hi tapper

Can you suggest any package for URL filtering, if i update my openwrt.

thanks

you should really un-focus on URL filtering.

Difficult (maybe impossible?) nowadays, because most sites use HTTPS so the router never gets to see the full URL, only the IP (and hostname if your router is the DNS server). If you want to block URLs you'll probably need something at the browser level.

I use this option in dnsmasq.conf to completely block youtube (NXDOMAIN is returned for the listed domains and their subdomains):

# Block Youtube
address=/youtube.com/youtu.be/youtubei.googleapis.com/youtube.googleapis.com/www.youtube-nocookie.com/googlevideo.com/ytimg.com/youtube-ui.l.google.com/ytimg.l.google.com/ytstatic.l.google.com/youtubei.googleapis.com/

However, I think this requires two dnsmasq instances (one for kids' devices, one for everything else) if you want to apply this rule only to kids' devices. That's how I have it set up anyway - I have another dnsmasq instance running on a different AP, with the above rule in its dnsmasq.conf file, and I give the address of that DNS server to my kids devices, like this:

# Devices use the local DNS server (192.168.1.1) by default
# This uses OpenDNS upstream servers which are set up to filter porn, malware, gore sites etc.

# Kids devices use 192.168.1.2
dhcp-mac=set:kidsdevice,XX:XX:XX:XX:XX:XX # Kids device 1
dhcp-mac=set:kidsdevice,XX:XX:XX:XX:XX:XX # Kids device 2
dhcp-mac=set:kidsdevice,XX:XX:XX:XX:XX:XX # Kids device 3
dhcp-option=tag:kidsdevice,option:dns-server,192.168.1.2

# Devices with completely unrestricted DNS (1.1.1.1)
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 1
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 2
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 3
dhcp-option=tag:unrestrict,option:dns-server,1.1.1.1,1.0.0.1

I also have a script that pulls a list of DoH servers from here and adds them to an ipset, running every night to keep the list up to date. I then have a firewall rule that blocks any traffic to those IPs, and another rule that redirects all forwarded traffic on port 53 to the local DNS server (except for the totally unrestricted devices).

I'm sure a time will come when the kids work out how to get around all of this, but it's good enough to stop them accidentally stumbling upon most bad stuff. I figure that once they're actively looking for porn it's going to be very difficult to stop them anyway.

Hi tievolu,

Just clicked an idea!!

Can we just do likewise:

  1. Block every website on connected mobile via wifi
  2. Permit only selected website

I mean, block everything except "forum.openwrt.org". This kind of approach.
In this way, we can have permitted list to website for kids. Any suggestions on HowTo do so.

Thanks in Advance

Yes, you can do that in dnsmasq.conf, like this:

# Whitelisted domains, which will be looked up using upstream server 1.1.1.1
server=/forum.openwrt.org/1.1.1.1
server=/example.whitelisted.domain/1.1.1.1
server=/another.whitelisted.domain/1.1.1.1

# Block all other domains (i.e. return NXDOMAIN)
address=/#/

You will still need two dnsmasq instances though I think.

The man page for dnsmasq is here btw.

You might be able to set up a virtual SSID on a separate VLAN, just for the kids devices, and use a separate dnsmasq instance for that VLAN. That isn't something I've tried myself though.

if you're only blocking some devices, and don't have an adblocker set up, you can simply pass all "permitted" clients to a down stream DNS, while you announce your internal DNS to those two should
be stopped/restricted.

Yes, you're right :+1:. I was still thinking of my case where I want three levels of filtering (no filtering, OpenDNS filtering, and OpenDNS+YouTube)

So a setup with two classes -- unrestricted DNS or whitelisted DNS -- would look something like this:

# Setup DNSMasq in LuCI to send the local DNS server to DHCP clients by default

# Devices with unrestricted DNS (1.1.1.1)
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 1
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 2
dhcp-mac=set:unrestrict,XX:XX:XX:XX:XX:XX # Unrestricted device 3
dhcp-option=tag:unrestrict,option:dns-server,1.1.1.1,1.0.0.1

# Local DNS server: Whitelisted domains, which will be looked up using upstream server 1.1.1.1
server=/forum.openwrt.org/1.1.1.1
server=/example.whitelisted.domain/1.1.1.1
server=/another.whitelisted.domain/1.1.1.1

# Local DNS server: Block all other domains (i.e. return NXDOMAIN)
address=/#/
1 Like

do note that DNS-based restrictions like that can be easily avoided by client devices if they set up a custom DNS server like 8.8.8.8, or if they use modern browsers like Firefox that is using by default DNS-over-https (and contacting its own dns server ignoring whatever is set by system), I don't know if Chrome has this enabled by default or not.

Also proxies and VPNs will bypass this easily. For example there are hundreds of Youtube proxies (it is a website that redirects to youtube).

So yeah, it might stop old people or very young kids but it won't stop a teenager or an adult that can just google a bit, and as the other guy said above you need to disable a bunch of IPs to block traffic that wants to go to other DNS and DNS-over-https, because that is a much more common thing for applications than in the past

I mean, OK, try with this first, but don't be surprised if after a year you will need to update to a more serious firewall device that can actually do more than basic IP and DNS blocking.