Using DNS to block access to selected sites

I use IPCOP and URL filter to block unintentional access to undesirable or high risk sites to reduce the risk of a ‘drive-by download’ attack, but have found that preventing access to sites using HTTPS using URL filter doesn’t work so I needed an alternative solution that would work for a small number of sites.

Since even when using HTTPS the web browser needs to be able to lookup the address of the web server it wants to connect to, the solution is to simply redirect DNS lookups for the domains I want to block somewhere else (in this case 127.0.0.1 seems to work quite well). Redirecting DNS lookups isn’t a perfect solution, it will prevent users accessing the affected domains using either HTTPS or HTTP, but they won’t be redirected to the ‘block page’ and nothing will appear in the URL filter logs. Also you don’t want to go mad and block too many domains this way. If you think you need to then you probably want to turn the problem on it’s head and block all HTTPS traffic except for a limited number of trusted sites, and there are other good reasons why you might want to do it this way as well.

IPCOP uses dnsmasq so to block a domain all you need to do is add an additional ‘address’ entry into ‘/var/ipcop/dhcp/dnsmasq.local’ for every domain you want to block. The entries below have been culled from a number of web pages that included annoying or unwanted advertising.

# nano /var/ipcop/dhcp/dnsmasq.local
#
# Used for private dnsmasq (DHCP) options.
# After making modifications restart the DHCP server using the web interface 
# or restartdhcp.
# Changes made will then propagate to the DHCP server.
#

# DNS Name Server
server=192.168.0.1

# Redirect the following domains to 'localhost' effectively
# blocking them (completely!)    

address=/.amazon-adsystem.com/127.0.0.1
#address=/.ssl-images-amazon.com/127.0.0.1
address=/.skimresources.com/127.0.0.1

address=/.2o7.net/127.0.0.1
address=/.adbrite.com/127.0.0.1
address=/.addthis.com/127.0.0.1
address=/.admeld.com/127.0.0.1
address=/.adnxs.com/127.0.0.1
address=/.adzerk.net/127.0.0.1
address=/.bluekai.com/127.0.0.1
address=/.clickbank.net/127.0.0.1
address=/.criteo.com/127.0.0.1
address=/.crsspxl.com/127.0.0.1
address=/.crwdcntrl.net/127.0.0.1
address=/.disqus.com/127.0.0.1
address=/.doubleclick.com/127.0.0.1
address=/.doubleclick.net/127.0.0.1
address=/.effectivemeasure.net/127.0.0.1
address=/.esm1.net/127.0.0.1
address=/.estat.com/127.0.0.1
address=/.exelator.com/127.0.0.1
address=/.gigya.com/127.0.0.1
address=/.gravity.com/127.0.0.1
address=/.imrworldwide.com/127.0.0.1
address=/.kinja.com/127.0.0.1
address=/.linkbucks.com/127.0.0.1
address=/.liveadvert.com/127.0.0.1
address=/.livefreetimenews.com/127.0.0.1
address=/.mail-corp.com/127.0.0.1
address=/.mktoresp.com/127.0.0.1
address=/.ooyala.com/127.0.0.1
address=/.optimizely.com/127.0.0.1
address=/.outbrain.com/127.0.0.1
address=/.owneriq.com/127.0.0.1
address=/.paresly.com/127.0.0.1
address=/.quantserve.com/127.0.0.1
address=/.res-x.com/127.0.0.1
address=/.revsci.net/127.0.0.1
address=/.scorecardresearch.com/127.0.0.1
address=/.searchmarketing.com/127.0.0.1
address=/.shareaholic.com/127.0.0.1
address=/.sitemeter.com/127.0.0.1
address=/.statcounter.com/127.0.0.1
address=/.techcrunch.com/127.0.0.1
address=/.tklist.net/127.0.0.1
address=/.triggit.com/127.0.0.1
address=/.tynt.com/127.0.0.1
address=/.xiti.com/127.0.0.1
address=/.yieldmanager.com/127.0.0.1
address=/.po.st/127.0.0.1
address=/.zdbb.net/127.0.0.1
address=/.newrelic.com/127.0.0.1
address=/.stipple.com/127.0.0.1
address=/.invitemedia.com/127.0.0.1
address=/.rubiconproject.com/127.0.0.1
address=/.casalemedia.com/127.0.0.1
address=/.adsonar.com/127.0.0.1
address=/.serving-sys.com/127.0.0.1
address=/.vizu.com/127.0.0.1
address=/.serving-sys.com/127.0.0.1
address=/.gravity.com/127.0.0.1
address=/.mixpo.com/127.0.0.1
address=/.yadro.ru/127.0.0.1
Advertisements
This entry was posted in Linux, Networking and tagged , . Bookmark the permalink.

One Response to Using DNS to block access to selected sites

  1. I wonder why it uses the preceding dot before domain. dnsmasq doesn’t. I will try it though because editing dnsmasq config file is a pita.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s