Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: How to block connection to specific host name?

  1. #1

    Question How to block connection to specific host name?

    I am looking for a way to block network connections to specific host name.

    Example: example.com (may have different IP addresses and not constant in time)
    Ideally I would also be interested in blocking: *.example.com

    How can I do that?

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,895

    Default Re: How to block connection to specific host name?

    As you understand, blocking in systems/routers is done by IP addresses.

    When, as you say hostname resolution of example.com into it's IP address(es) is giving other results on any moment in time, I assume that is very difficult if not impossible.

    If those addresses are always within a certain IP range, you could block that range, but I do not know if that is to much.
    Even more problematic is blocking all *.example.com (may extend into *.*.example.com, etc.?) because
    • there is no knowledge about what those * maybe (and every moment DNS might get more or less of them);
    • they could have IP addresses in very different ranges.


    (And did you consider IPv6?)
    Henk van Velden

  3. #3

    Default Re: How to block connection to specific host name?

    Wouldn't it be possible to it with some scripting similar to:

    https://wiki.mikrotik.com/wiki/Use_h...firewall_rules

    but without the caveats listed at the bottom of the article?

    If that is impossible - how are big networks being filtered? Someone sits and manually corrects IP address all the time or something else? I really don't know.

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,956
    Blog Entries
    2

    Default Re: How to block connection to specific host name?

    Blocking involves installing an app to filter.

    More typically,
    Instead of blocking you can re-direct, most commonly to itself.

    You can do this by adding entries to your /etc/hosts file (directly or use YaST),
    mapping the names you want to redirect to whatever address you want... If you're administering a network you might want to redirect to a friendly message but if you don't care about that, you can map to 127.0.0.1, the result would then be something like "service not found" but exact error will depend on the app trying to connect.

    HTH,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,895

    Default Re: How to block connection to specific host name?

    Quote Originally Posted by tsu2 View Post

    You can do this by adding entries to your /etc/hosts file (directly or use YaST),
    Hm, nice idea. But then be sure that /etc/hosts is searched before DNS. As far as I know that is the default, but better check in /etc/nsswitch.conf.

    And this will of course only work for exact hostnames, not for any hostname *.example.com.

    I have the strong idea that the OP presents us a typical case of Describe the goal, not the step.

    @heyjoe
    We have no idea why you want this, thus we can not help you with a solution that might be quite different from what you present here. E.g. do you want to block a user from connecting? S(he) might then try to find the IP address (on another system) and connect using that. Etc., etc.
    Henk van Velden

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,956
    Blog Entries
    2

    Default Re: How to block connection to specific host name?

    Quote Originally Posted by hcvv View Post
    Hm, nice idea. But then be sure that /etc/hosts is searched before DNS. .
    The hosts file is checked before making a DNS request on all OS by default, but can be changed via a DHCP option.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7

    Default Re: How to block connection to specific host name?

    I already thought about the /etc/hosts trick but considering it is indeed possible to connect directly to the IP address too that wouldn't work. In this case I am willing to prevent any possibility of connection to IP addresses of a particular domain name and that should be proof to change of IP address. Is that possible?

  8. #8
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,895

    Default Re: How to block connection to specific host name?

    Quote Originally Posted by tsu2 View Post
    The hosts file is checked before making a DNS request on all OS by default, but can be changed via a DHCP option.

    TSU
    I do not know if you can change /etc/nsswitch,conf by using a DHCP server. But in any case that is the configuration file for this regardless who has configured it (DHCP or root). And remember nobody until now said that DHCP was used (and I doubt it is of any influence on the subject).
    Henk van Velden

  9. #9
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,895

    Default Re: How to block connection to specific host name?

    Quote Originally Posted by heyjoe View Post
    I already thought about the /etc/hosts trick but considering it is indeed possible to connect directly to the IP address too that wouldn't work. In this case I am willing to prevent any possibility of connection to IP addresses of a particular domain name and that should be proof to change of IP address. Is that possible?
    As said earlier, I doubt. A solution as pointed to in a link above might work, but it would involve running a script every minute? and then adapting your IPtables. Not something I would want.

    And again, this is full of holes. Different host/domain names may point to the same IP address. Thus when you block the IP address that is returned from an address lookup of example.com, there is the possibility that you also block foobar.net which resolves to the same IP address.

    And again, I do not see another solution to detect if a hostname like www.abacadabra.miracle.example.com can be resolved, other then a basically endless (in time) try and error process.


    BTW this
    I already thought about the /etc/hosts trick but considering it is indeed possible to connect directly to the IP address too that wouldn't work
    wasn't in your original question. See how important it is to explain your goal and not just pick some step and ask about that, believing that all other conditions are miraculous understood by others?
    Henk van Velden

  10. #10
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,538
    Blog Entries
    15

    Default Re: How to block connection to specific host name?

    On Sat 13 Jan 2018 10:46:01 AM CST, heyjoe wrote:

    I am looking for a way to block network connections to specific host
    name.

    Example: example.com (may have different IP addresses and not constant
    in time)
    Ideally I would also be interested in blocking: *.example.com

    How can I do that?


    Hi
    Where in your network... internal or external?

    Using wicked or Network Manager?

    At a system level, hosts file point site to 127.0.0.1, then there is
    the ability for a proxy or use dnsmasq for the whole domain...

    I can block at a router level with (block via url or mac address)
    parental controls. Suggest you look here and see what options you have.

    Beyond, I could use openDNS, this has some limited free options.

    I would suggest further investigation with dnsmasq as this would block
    example.com.

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE Leap 42.3|GNOME 3.20.2|4.4.104-39-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •