Block domains - what's the best way to do this?

BlackMage

Occasional Visitor
I want to block a few domains. that you can no longer access them.

blocks the URL Filter only accesses over HTTP or also HTTPS?
what is the best way to completely block access to specific domains?
 
Last edited:

L&LD

Part of the Furniture
Diversion.
 

eibgrad

Senior Member
If the public IP(s) associated w/ the domain name is unlikely to change over time, you can just add firewall rules. I say unlikely to change because the domain name is only resolved once, when the rule is added. And if any given domain name resolves to multiple IPs, it will generate multiple rules.

Assuming you've enabled custom scripts in Administration->System ...

Code:
mkdir -p /jffs/scripts
cat << "EOF" > /jffs/scripts/firewall-start
#!/bin/sh
iptables -I FORWARD -d cnn.com -j REJECT
iptables -I FORWARD -d espn.com -j REJECT
iptables -I FORWARD -d disney.com -j REJECT
EOF
chmod +x /jffs/scripts/firewall-start
One you adjust the domain names to your liking, you can simply paste the script into a shell (ssh) and it will automatically create the firewall script for you.

In some cases, particularly mega-sites (e.g., Amazon), this approach is inadequate. The IPs associated w/ a domain name can change a LOT, and you'll need something more sophisticated, preferably based on ipset.
 
Last edited:

eibgrad

Senior Member
is that possible on asuswrt-merlin? (based on ipset)
The ipset module is definitely in the firmware (/usr/sbin/ipset).

What you do is create an ipset hash table to store IPs. You then configure DNSMasq (the DNS server) to add any IP(s) from name resolution from your list of blocked domain names to that hash table. Finally, you add a single firewall rule (in the FORWARD chain) that checks that hash table against the destination IP on packets, and if a match occurs, you REJECT/DROP the packet. The whole process is *dynamic* rather than (as I described above) *static*.

For all I know, that's what Diversion does. And it's how I've done it in the past. Takes some effort to setup of course.
 

eibgrad

Senior Member
I suppose you could just block those domain names directly in DNSMasq (no need to install a large ad blocker if you don't have the storage).

Code:
address=/cnn.com/0.0.0.0
address=/espn.com/0.0.0.0
…
That's all that most ad blockers do anyway. They manages large lists of domain names and keep them updated. But as I said, it's a simple matter to add a few DNS records directly to DNSMasq if that's all you need.

My example of using ipset goes a step further and literally blocks the destination IP(s) resolved from the domain name w/ firewall rules. That may be overkill for your purposes.
 

BlackMage

Occasional Visitor
I want to fix my jffs partition first.. can't remain a permanent state
 

BlackMage

Occasional Visitor
k fixed, does pixelserv-tls get its own IP?

best an IP address in my IP range?
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top