How to block access to a hostname

1

I need to block access to the www.facebook.com site of a Linux machine. I should block this on the machine itself, that is, I do not have the possibility to do this with a Proxy.

Initially I thought about using iptables, however, as Facebook has dynamic IP, and iptables resolves the hostname only at the time of adding the rule, the site can be accessed in a few moments (when IP access changes) . Is there a simple way to do this?

    
asked by anonymous 11.08.2014 / 18:11

1 answer

1

First, you have to force all DNS requests (port 53 UDP and TCP) to pass through your own resolve (for example, a DNS server that performs recursive queries), since nothing configure a different DNS on the machine itself. By directing all requests to your server, you will have a greater ability to do the blocking. For this, iptables resolves well (redirecting everything that is port 53, regardless of name or IP).

Eg the user places the server 208.67.222.222 (OpenDNS) as DNS on the client machine, but its routes redirect any access to port 53 to its own server, not allowing the request to leave the internal network. As soon as any user enters www.facebook.com, your server is going to be queried (remembering that you have m.facebook.com, plus a number of things that can be filtered).

After this, you need to configure your own DNS server, as in the example given by bfavaretto, or customizing the DNS configuration installed on the server according to the documentation.

  

Even though someone could run a local DNS server, they would make an external request on a port other than the 53, escaping the lock (rarely happens, but you should know the risk). Or simply by the desired IPs in the file hosts of the machine itself.

If it is for use in companies, often the solution is to put in the contract of employment of employees the prohibition, and a clause giving notice that there is remote monitoring of the screens, and the first that "slip" a written warning . This way you will avoid a lot of "infiltrable" problems more effectively, including undue personal use of the machines, and avoiding a claim of privacy invasion by the employee (provided he is fully aware of the monitoring).

    
11.08.2014 / 18:30