1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block YouTube

Discussion in 'Tomato Firmware' started by XtremeARG, Feb 6, 2018.

  1. XtremeARG

    XtremeARG New Member Member

    My question is simple , how to block YouTube using tomarto by shibby.
    I want to block it in phones and tablets devices connected to my wifi.
     
  2. Combat619

    Combat619 New Member Member

    I would think by adding it on the block list ?

    Sent from my SAMSUNG-SM-G920AZ using Tapatalk
     
  3. XtremeARG

    XtremeARG New Member Member

    That is in access restriction ?
     
    Last edited: Feb 6, 2018
  4. koitsu

    koitsu Network Guru Member

    YouTube, like many streaming services, uses HTTPS (SSL). This subject has been discussed before. There is not a reliable way to do this without an intermediary proxy (ex. squid) or using browser-based extensions that can do it (ex. uBlock Origin) (which are not always available depending on environment or hardware (ex. mobile phones)). Tomato's Access Restriction feature is mainly intended for limiting network access based on time of day, with per-port (per-protocol) or client-side MAC conditions, or website name (based on HTTP Host: header, not DNS!) or content on a website delivered via plaintext protocol. The entire point of SSL is to encrypt and thus inhibit the ability for something (either person or intermediary device) to know what is being transmit between two endpoints. That said...

    The DNS server in Tomato, dnsmasq, would allow you to fake DNS records for youtube.com (or *.youtube.com; there are many addresses/names they use for different services), returning something like 127.0.0.1, or possibly NXDOMAIN. In effect, this can act as a form of filtering. This has also been discussed before (many times). However, if a client was to change DNS servers (i.e. not use the DNS server on the router), they could work around it. Tomato offers an "intercept DNS" feature (Advanced -> DHCP/DNS -> Intercept DNS port)) which can be used to force all DNS traffic through the local DNS server. I have not used this feature.

    TL;DR -- You can't block YouTube because it uses HTTPS, but you can ensure all DNS traffic goes through your router, and returning fake DNS records (or NXDOMAIN if possible) for clients trying to resolve DNS-wise names like youtube.com or *.youtube.com.
     
    Monk E. Boy and eibgrad like this.
  5. eibgrad

    eibgrad Network Guru Member

    Couldn't agree more w/ koitsu's comments. Nothing stops a user from using a personal VPN either. And no matter what you do at that point (unless you're going to block VPNs as well), you're dead in the water.

    That said, when dealing w/ mega-sites (Google, Amazon, Netflix, etc.), the better approach imo is to use ipset in DNSMasq to capture all the returned IPs from the domains of interest and store them in a hash table, then use firewall rules that deny access by checking if the user is attempting to connect to anything in that hash table. IOW, it's a dynamic process rather than the typical static process.

    At least that's the way *I* would do it. A bit more complicated to setup, but probably worth it in some cases.

    But again, nothing is perfect. The very nature of the internet makes total and complete control of this kind impossible. Anyone sufficiently knowledgeable is going to thwart even your best efforts.
     
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    DNS is one way to block it however it's very difficult to catch due to the sheer number of DNS entries they use. You can't just block youtube.com and be done with it, you have to block tons of domains in order to block all their apps which for the most part have hard-coded addresses in the app which aren't youtube.com. I've used the intercept DNS before and it does work to redirect traffic targeting other port 53 DNS servers to the internal DNS server. Then you can use a DNS filtering service like OpenDNS to filter queries for content you don't want to be accepted. ODNS categories are kind of broad but you can also override for specific domains by making up your own custom allow DNS lists.

    The issue then becomes VPN and alternative DNS servers. OpenDNS has an anonymizer & VPN category that will catch most services. The alternative DNS is kind of a sticky one but I have all nonstandard port connections stuffed into a single category that I periodically review to keep an eye on what weird things people are doing. When you see a connection you'll get an IP address (which Tomato may be able to resolve to a DNS address), port number, and packet type. If Tomato's reverse DNS lookup fails to turn up anything interesting, searching for the port number & packet type on Google typically uncovers details of who's providing the service. If it's a DNS service you could stick an iptables reject or drop rule in forward for that port & packet type to stop it. There aren't a whole lot of these because servers aren't free and the people who want to do this typically don't have disposable income to actually, you know, pay them, so it doesn't take long to frustrate them to the point of giving up.

    Another option is to run your own DNS server which allows you to do a whole hell of a lot more than you can do with DNSMasq. Some people have posted howtos to setup PiiHole using a Raspberry Pii as a base, but any old *nix system could be your base. Got an old laptop you're not using anymore that has an ethernet port? Voila, you've got yourself a BSD/Linux server.

    Like many things this seems like a simple request but it's really complicated to implement.
     
  7. tvcat

    tvcat Networkin' Nut Member

    So which one would be more efficient in blocking https website access? DNS server or proxy server?
    thanks
     
  8. Sean B.

    Sean B. LI Guru Member

    Using the DNS method is by far the easiest. Providing you have the network configuration set to use the router as the DNS server a long with the intercept DNS option enabled, adding this line to the dnsmasq custom config box is all that's needed:

    Code:
    address=/youtube.com/
    Which will return NXDOMAIN to queries for youtube.com and any of its subdomains ( IE youtube.com, www.youtube.com , some.other.youtube.com etc ).

    This method is also extremely easy to get around though, as simply entering the IP address of youtube.com into a browser rather than the normal URL will bypass DNS all together. This is well suited if your purpose is to control access for young kids, or blocking spam sites that no one wants to land on anyway etc. Not so good if you're trying to prevent a computer savvy teenager from watching youtube rather than doing homework.

    A proxy server such as squid has a lot more ability to filter specific content, such as using the SSLbump method to gain plain text access to SSL traffic ( tricky to configure, and requires access to client computers to install a cert in the browsers trusted root, but it does work ). Also adds widely configurable logging levels and access controls etc.

    Really depends on your use case and what all you want/need from the results.
     
    Monk E. Boy, tvcat and Combat619 like this.
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    Yes, DNS is the easiest to implement, but you probably want more than just youtube.com
    Code:
    address=/youtube.com/youtu.be/youtubei.googleapis.com/youtube.googleapis.com/www.youtube-nocookie.com/
    There may be more youtube addresses. If you find them just add them to the line, or create a second line if dnsmasq hiccups and breaks. Get in the habit of going to stauts -> logs -> 25 lines after saving any dnsmasq advanced configuration to verify that dnsmasq loaded successfully. I forget what the exact line is when it fails but it's going to look very different from the usual entries.

    Its not perfect which is why keeping an eye on the connection table coupled with cracking the whip helps. You can see their device, what connections its made to which IPs, and how much data is transferred. In the case of video the file sizes make it stand out.

    With IPv4 exhaustion just entering IPs isn't as reliable a method as it used to be. Even Google is using host headers to serve up different websites on the same IP, at least in some circumstances. If the browser passes on the IP then it doesn't know what domain to serve, and the default may not be what you want.

    SSL inspection is certainly more reliable but as Sean points out more complicated to setup. It is a better long term solution though.

    BTW, there's some DNS-based trickery you can do to make your kids suffer with restricted access to Google, Bing, and YouTube:
    https://support.opendns.com/hc/en-u...-Enforcing-Google-SafeSearch-YouTube-and-Bing

    Sorry aforementioned kids.
     
    Last edited: Feb 9, 2018
    Sean B. likes this.
  10. eibgrad

    eibgrad Network Guru Member

    Is efficiency really the primary consideration here, or effectiveness? While DNS is certainly efficient, as others have pointed out, it's pretty easy to get around the problem by simply specifying explicit IPs.

    The problem I'm having is that we just don't have enough information here to pass judgement on what makes the most sense. The only thing you mentioned was blocking phones and tablets. Pretty vague. Using DNS will certainly do that. But it will block every other device in the house as well! IOW, it's indiscriminate.

    Using DNS is *much* more effective when used to protect the whole house from malicious websites, crypto-mining, ads, etc. In that situation, no one in the home has any motivation to mess w/ your attempts to block these sites. Everyone sees it as a benefit.

    The problem is when you want to thwart *internal* threats, who also have access to your network! Those "little devils" will work day and night to undermine your attempts to deny them access to their favorite entertainment, YouTube. From that perspective, using DNS for internal purposes is not nearly as effective.

    Nothing will work as well as determining the public IPs used by YouTube (maybe even public VPN services, if you want to take it that far) and using firewall rules. And you can also discriminate among source IPs (local devices). You could even fine tune access based on day of week and time of day. IOW, lots of configuration options. But it's definitely much more work and not just a simple one liner like DNS. Just depends on how far you want to go given your interests and skills.
     
    Last edited: Feb 9, 2018

Share This Page