Looks like you just googled yourself a bit, only. DNS (53) to be redirected to filtered DNS will take care of 8.8.8.8 or any other standard DNS server. DoH to well-known servers, i.e. 1.1.1.1, can be disabled using firewall, or using some browser specific DNS-setup. Only bypass here would be a private DoH-server, but that is not to be done by "teenager or adult, who can just googe a bit". VPNs can be blocked, too, more or less.
https-based proxies are a different story, though.
Not at all. Did you miss what I said?
you need to disable a bunch of IPs to block traffic that wants to go to other DNS and DNS-over-https, because that is a much more common thing for applications than in the past
Also do you have a list to all youtube or whatever proxies, updated? Because guess what happens when you search "youtube proxy" of "facebook proxy" on google.
I guess you need to add a ton of IPs to that blacklist or switch to a whitelist that will most likely suck and make the users hate you and just go try get their internet from somewhere else entirely.
There are literally countless tutorials to sidestep these limitations https://www.howtogeek.com/167418/5-ways-to-bypass-internet-censorship-and-filtering/
If you want to stop someone that can use a VPN (and FYI there are A LOT of ads for VPNs nowadays in both youtube and other media, cheap and easy to use), DNS blocking is a waste of time.
VPNs don't need to use DNS ( in many times the server IPs are hard-coded in the config) and can choose multiple protocols over different non-standard ports. So even more IPs to add ot your blacklist and keep updated.
All this on the client side is automated, the user does not need to know much. Using a VPN is easy for everyone.
--
I'm not saying to not do this and accept defeat, I'm just saying don't expect this to stop anyone that is actually trying to bypass it.
DNS-blocking in 21st century is a network equivalent of a garden fence.
1 Like
No.
First: REDIR port 53 to filtering DNS makes IP blockage for DNS-servers obsolete.
Second: There are DNS-based methods to disable usage of DoH in browsers, at least.
So you are less than 50% correct on your mentioned statements.
Regarding VPNs, blockage based on dest ports, which are usually not equal 80/443.
You even wrote yourself.
Of course, IP-based blocks enhance both methods from above.
It will not block everyone. But the "teenager or adult, who can just google a bit", definitely.
BTW: To gain access to "proxysite.com", DNS is to be used first. Which is blocked, of course.
Last not least, it is not a big deal, to handle a large, IP-based blocklist for well-known VPNs and Proxies. Will give every user a hard time to find a hole.
From the link, you gave, only "TOR" is a real challenge, thats correct. But its not an option for permanent usage, anyway. Give it a try yourself 
Just out of interest, can you elaborate on that? My conclusion from all the info I found was that DoH can only be blocked with firewall rules.
EDIT: I assume you're referring to this: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
Read the additional note, regarding the canary domain
Yes. And with ipset you block the well-known DoH-servers, as you stated.
Which is just the second line of defence, because quite often standard DNS is used, i.e. to resolve doh.anydnssrv.com.
Which is blockable using standard DNS blocklist.
Hi tievolu
# Whitelisted domains, which will be looked up using upstream server 1.1.1.1
server=/forum.openwrt.org/1.1.1.1
server=/example.whitelisted.domain/1.1.1.1
server=/another.whitelisted.domain/1.1.1.1
# Block all other domains (i.e. return NXDOMAIN)
address=/#/
I tried with this config but no success.
I also have tried to stop resolving via following config:
# cat /etc/dnsmasq.conf
domain-needed
bogus-priv
no-resolv
# Whitelisted domains, which will be looked up using upstream server 1.1.1.1
server=/forum.openwrt.org/1.1.1.1
# Block all other domains (i.e. return NXDOMAIN)
address=/#/
Can i do blocking on the basis of SSID. Likewise
- Kid_SSID/Guest : only selected websites allowed
- Normal_ssid: all website open
can you guide me, how can i achieve it.
Thanks for interest and support
Dnsmasq doesn't have a clue/doesn't care about your wifi.
If you stop the dnsmasq, and the client still can use the internet, then they're not using your dnsmasq as the DHCP and/or DNS, or you're not blocking external DNSes.
Do you want fries with that?
But many corporate Access-point and router does support blocking of website.
don't know what packages they use for the same.
on stock, but you're not using that, are you ?
can you suggest me some packages, so that i can do my R&D
all you need is already mentioned in this thread.
all suggestions, i tried with. also over searched with "dnsmasq" but no success.
Now looking for any .ipk packages available in openwrt for URL filtering. also any opensource code or scripts.
any suggestions??
or name some .ipk packages, so that i can start with one by one.
you haven't done it right, which is probably why it doesn't work ...
if you can't figure this out, your url filter isn't gonna float either, because of the same reasons, and you've already been told it's a bad idea in the 1st place.
If you update to a newer openwrt you can use adblock and add urls to the black list. You can block IPs using banip in the same way. I do this all the time. If you want to stick to a old build that has more holes than a sieve then so be it! BTW what are you blocking? Edited just to point this is not a verry good way of blocking stuff any one can find out how to get round this stuff with a quick google.
if he can't figure out how to provide custom DNSes in the DHCP, and block/catch/redirect outgoing DNS calls, there's no point in providing alternative solutions, since they still rely on the same functional base.
hi tapper,
Idea is to block everything except some selected websites like
- some academic sites
- DIY sites
- some learning sites
rest all need to be blocked, to any connected clients via Wifi.
Hi frollic,
if he can't figure out how to provide custom DNSes in the DHCP, and block/catch/redirect outgoing DNS calls, there's no point in providing alternative solutions, since they still rely on the same functional base.
On making changes into "/etc/dnsmasq.conf" i am able to block all sites except mentioned websites. configuration is
# cat /etc/dnsmasq.conf
# Whitelisted domains, which will be looked up using upstream server 1.1.1.1
server=/forum.openwrt.org/1.1.1.1
server=/facebook.com/1.1.1.1
server=/google.com/1.1.1.1
# Block all other domains (i.e. return NXDOMAIN)
address=/#/
ping result from inside Access Point:
# ping facebook.com
PING facebook.com (157.240.16.35): 56 data bytes
64 bytes from 157.240.16.35: seq=0 ttl=55 time=36.932 ms
64 bytes from 157.240.16.35: seq=1 ttl=55 time=37.580 ms
^C
--- facebook.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 36.932/37.256/37.580 ms
# ping rediff.com
ping: bad address 'rediff.com'
But if i connect my Mobile phone through wifi of my Access Point, i find unrestricted access.
This i had achieved at very early stage before posting, and i am still at the same page.
I also had achieved the same with iptables rules hook on http and https ports.
I am unable to block for connected clients. got this package https://github.com/openwrt/packages/tree/openwrt-19.07/net/adblock also have tried early
then we're back at URL-filter for OpenWrt Barrier Breaker - #2 by frollic and URL-filter for OpenWrt Barrier Breaker - #36 by frollic .
As long as you're not sure your devices only use your DNS, there's no point in trying to restrict the access.
not sure what that means.
Note that Android phones will stop using wifi if the network they're connected to doesn't have proper internet connectivity, and they fall back to the cell network. In other words, your DNS restrictions might be too tight.
Android phones check internet connectivity by sending a request to connectivitycheck.gstatic.com, so you'll need to ensure that this hostname can be resolved properly. I don't know what iPhones do, if anything.
Of course, this also means that phones can easily bypass your restrictions by just disabling wifi.
Just realised I replied to the wrong post. @pinchamit - this was for you.