How to block facebook access

Matthew Seaman matthew at
Sun Aug 20 12:18:17 UTC 2017

On 20/08/2017 12:44, Polytropon wrote:
>>> On the IP level, you can maintain a list of IPs to block. And
>>> you could use resolver modification to do this for you, for
>>> example when the IP for a certain Facebook service or page
>>> changes, using the resolver its new IP will be added to the
>>> block list. With this approach, you can block using both
>>> numeric IPs and domain name strings (which of course resolve
>>> to IPs, too).

>> I am unfamiliar with the "resolver modification" you speak of.
>> Is this a function in ipfilter firewall?
>> Where and how is this done?

> It's a term I probably invented because I don't know the correct
> name - if it even has a specific name. :-)

The term you're probably looking for 'RPZ' (Response Policy Zone) --
this is an extension that allows you to override what your recursive
resolver will return for certain zones:

Effectively you can load a special zone file full of domains you want to
return other than the standard response for.  These zones can be AXFR'd
between a cluster of resolvers for ease of administration.

Implemented in bind -- this isn't an IETF specification, so may not be
available in other brands of nameserver, or if it is, may not
interoperate very well between different DNS software packages.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list