Blocking Facebook using DNSMasq

Discussion in 'Tomato Firmware' started by jsnepo, Dec 20, 2017.

  1. jsnepo

    jsnepo Networkin' Nut Member

    Will this work?


    If it does, how can I specify it to a specific client only?
  2. Techie007

    Techie007 Serious Server Member

    Yes, this would block access to network wide. It will also give a long timeout due to waiting for a response from It would be better to use IP, which will return immediately with a "Server not found" message.
    However, if you're trying to restrict access to specific sites on specific devices, you would be better off using the Access Restriction feature rather than DNSmasq.
    Last edited: Dec 22, 2017
  3. jdesignz

    jdesignz New Member Member

    +1 Access Restriction is your best solution

    Sent from my Moto G (5S) Plus using Tapatalk
  4. Sean B.

    Sean B. LI Guru Member

    Incorrect. It would catch all subdomains of including Quote from dnsmasq docs:

    Techie007 likes this.
  5. Techie007

    Techie007 Serious Server Member

    Thank you for the correction. I was familiar with how DNSmasq behaved with HOSTS files and thought it was the same here. :)
    Sean B. likes this.
  6. jsnepo

    jsnepo Networkin' Nut Member

    Isn't Facebook HTTPS which Access Restriction won't be able to block?
    Techie007 likes this.
  7. Techie007

    Techie007 Serious Server Member

    Hmm... You're right. Not because it can't work with HTTPS, but because the Access Restriction feature is quite broken in Tomato. In HTTPS, the domain name goes out in the non-encrypted header; so there is enough information to work with. However, it appears that the Access Restriction feature hasn't been coded with that bit of knowledge in mind. Which means that we would have to use an L7 filter to detect Facebook traffic.

    To create that filter, add the following code to the Administration -> Scripts -> Init section, save, and reboot your router:
    mkdir /etc/l7-extra/
    echo "facebook" > /etc/l7-extra/facebook.pat
    echo "(|" >> /etc/l7-extra/facebook.pat
    Then you would create an Access Restriction rule that looked for outgoing traffic on port 443 using the facebook L7 filter and a wildcard HTTP request. However again, the Access Restriction feature is quite broken, and I can't get it to save those settings! Everything I set in the Rules section (except for the HTTP request) doesn't save and always resets back to nothing. Besides, it appears that the HTTP request section doesn't properly recognize a blank or wildcard request as a valid filter criteria. @shibby20 @kille72

    That leaves me with one last (and not good enough) option... Create a QoS rule, setting the Src to the device IP you want to limit access to, Dst port to 443, L7 to facebook, and Rate to Crawl. And then limit Crawl to 1 - 1% bandwidth. If you have a low end connection (<10 Mb/s), it will take forever to do anything on Facebook. But if you have a fast connection, this option won't be of much use, as "slow" will be quite usable. I have implemented this just now and verified that it does in fact work. You may have to restart your web browser for the changes to take effect (due to persistent connections).

    If anyone else here knows how to implement a block with an L7 filter (or fix the bugs in the Access Restriction feature), this request could be fulfilled via Tomato.
    Last edited: Dec 30, 2017
  8. Sean B.

    Sean B. LI Guru Member

    It may be enabled "out of the box" now in shibby or kille's builds, but one of the many changes I've done for myself was enable TPROXY in the kernel. Makes it easy to transparently redirect web traffic, both directions, through Squid. Squid uses an acl ( access control list ) structure for all of its functions, including sight access/redirection/logging etc.
    Last edited: Dec 30, 2017
  9. jsnepo

    jsnepo Networkin' Nut Member

    The QoS actually works but it didn't do much since I got a 20Mbps connection. It did slow down Facebook but still within the working range.

    Will it work if I force this certain device to go through OpenDNS where I got Facebook blocked?
  10. Monk E. Boy

    Monk E. Boy Network Guru Member

    The only way QoS would possibly work is to define one of your categories as 1% 1% for incoming and outgoing, then assign traffic to that category. It will still work but be so slow that people will insist your internet connection is broken because zomg facebook is slow. DNS filtering for facebook is quite complicated though because they don't just use they also use content delivery networks (CDNs) which also need to be blocked and it's an annoying can of worms to open. The best option is to do something like squid or another http/https real-time inspection tool to get a detailed look at connections, but then you have to deal with the annoying tendency of people to use VPN tunnels to get around blocks and having to carry around big sticks when they do that...
    Sean B. likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice