How to block facebook access

Fri Aug 25 18:16:46 UTC 2017

On Tue, Aug 22, 2017 at 11:58:07PM +0100, Frank Shute wrote:
>
> On Sat, Aug 19, 2017 at 02:20:48PM -0400, Ernie Luzar wrote:
> >
> > Hello list;
> > 
> > Running 11.1 & ipfilter with LAN behind the gateway server. LAN users 
> > are using their work PC's to access facebook during work.
> > 
> > What method would recommend to block all facebook access?
> > 
>  
> Hi Ernie,
> 
> 
> My recommendation would be to set up unbound(8) on your 11.1 machine (or
> setup another) and configure everything on the LAN to use it for name
> service.
> 
> You can then shove some local records in unbound.conf(5), such as:
> 
> local-zone: "facebook.com" refuse
> local-zone: "doubleclick.net" refuse
> ...
> etc.
> 
> If you then do a lookup from the LAN:
> 
> $ host facebook.com
> Host facebook.com not found: 5(REFUSED)
> 
> Firefox and Chrome seem to handle that gracefully.
> 
> To stop any muppets who decide to use alternative name service ie. Google,
> OpenDNS etc. Configure ipfilter to drop any outgoing to 53 except from
> your unbound machine.
> 
> Of course, other benefits are: 
> 
> 1). You can cutdown on all sorts of additional superfluous traffic which
> improves all sorts of things: contention, less bandwidth & quota needed
> etc.
> 
> 2). Lookups are a lot quicker if they're cached on the LAN; which your
> users will appreciate.
> 
> This all somewhat depends on how computer savvy your users are and how
> locked down their PCs are.
> 
> If they know what they're doing then they will find away around it and
> nothing short of nuking all of Facebook's DCs will stop it. Now there's
> an idea....

Not long after I wrote the above, I came across: dns/void-zones-tools on
Freshports. It s/refuse/static/ and pulls in ~50,000 domains which are
associated with evil into unbound.conf. Read the blurb for it:

https://github.com/cyclaero/void-zones-tools

It takes it's data from half a dozen maintained lists and converts them
into the format unbound understands. You can also whitelist/blacklist
other domains/IPs.

I've only been running it for a couple of days with Adblock Plus turned
off and it seems to work fine.

Definitely a win if you maintain a LAN/VLANs with Windows clients,
especially Windows 10, as one of the lists it sucks in lists where Windows
10 builtin spywar...telemetry goes to.

My informants, who reside not a million miles from Redmond, tell me that
MS are doing "significant work" on improving their "customer experience"
of Windows 10 Telemetry.

They're not changing the code in anyway but rebranding it to:

"Visual Studio Telemetry .Net Agile"

You read it here first.

I can't tell you how proud it made me as a Brit to hear that nugget of
news. My tax pounds at work I thought, employing clueless and incompetent
Americans in a tax dodging American company's margeting department. Life
surely does not get a lot sweeter....

But then I remembered, we've got a Microsoftie on core@ and some others
slaving away in the code mines of Redmond with commit bits to src. Yes!
I was wrong, life does get even sweeter!

Regards,

-- 

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170825/9f91f986/attachment.sig>