I am looking for a way to block network connections to specific host name.
Example: example.com (may have different IP addresses and not constant in time)
Ideally I would also be interested in blocking: *.example.com
How can I do that?
As you understand, blocking in systems/routers is done by IP addresses.
When, as you say hostname resolution of example.com into it’s IP address(es) is giving other results on any moment in time, I assume that is very difficult if not impossible.
If those addresses are always within a certain IP range, you could block that range, but I do not know if that is to much.
Even more problematic is blocking all *.example.com (may extend into ..example.com, etc.?) because
- there is no knowledge about what those * maybe (and every moment DNS might get more or less of them);
- they could have IP addresses in very different ranges.
(And did you consider IPv6?)
Wouldn’t it be possible to it with some scripting similar to:
https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules
but without the caveats listed at the bottom of the article?
If that is impossible - how are big networks being filtered? Someone sits and manually corrects IP address all the time or something else? I really don’t know.
Blocking involves installing an app to filter.
More typically,
Instead of blocking you can re-direct, most commonly to itself.
You can do this by adding entries to your /etc/hosts file (directly or use YaST),
mapping the names you want to redirect to whatever address you want… If you’re administering a network you might want to redirect to a friendly message but if you don’t care about that, you can map to 127.0.0.1, the result would then be something like “service not found” but exact error will depend on the app trying to connect.
HTH,
TSU
Hm, nice idea. But then be sure that /etc/hosts is searched before DNS. As far as I know that is the default, but better check in /etc/nsswitch.conf.
And this will of course only work for exact hostnames, not for any hostname *.example.com.
I have the strong idea that the OP presents us a typical case of Describe the goal, not the step.
@heyjoe
We have no idea why you want this, thus we can not help you with a solution that might be quite different from what you present here. E.g. do you want to block a user from connecting? S(he) might then try to find the IP address (on another system) and connect using that. Etc., etc.
The hosts file is checked before making a DNS request on all OS by default, but can be changed via a DHCP option.
TSU
I already thought about the /etc/hosts trick but considering it is indeed possible to connect directly to the IP address too that wouldn’t work. In this case I am willing to prevent any possibility of connection to IP addresses of a particular domain name and that should be proof to change of IP address. Is that possible?
I do not know if you can change /etc/nsswitch,conf by using a DHCP server. But in any case that is the configuration file for this regardless who has configured it (DHCP or root). And remember nobody until now said that DHCP was used (and I doubt it is of any influence on the subject).
As said earlier, I doubt. A solution as pointed to in a link above might work, but it would involve running a script every minute? and then adapting your IPtables. Not something I would want.
And again, this is full of holes. Different host/domain names may point to the same IP address. Thus when you block the IP address that is returned from an address lookup of example.com, there is the possibility that you also block foobar.net which resolves to the same IP address.
And again, I do not see another solution to detect if a hostname like www.abacadabra.miracle.example.com can be resolved, other then a basically endless (in time) try and error process.
BTW this
I already thought about the /etc/hosts trick but considering it is indeed possible to connect directly to the IP address too that wouldn’t work
wasn’t in your original question. See how important it is to explain your goal and not just pick some step and ask about that, believing that all other conditions are miraculous understood by others?
On Sat 13 Jan 2018 10:46:01 AM CST, heyjoe wrote:
I am looking for a way to block network connections to specific host
name.
Example: example.com (may have different IP addresses and not constant
in time)
Ideally I would also be interested in blocking: *.example.com
How can I do that?
Hi
Where in your network… internal or external?
Using wicked or Network Manager?
At a system level, hosts file point site to 127.0.0.1, then there is
the ability for a proxy or use dnsmasq for the whole domain…
I can block at a router level with (block via url or mac address)
parental controls. Suggest you look here and see what options you have.
Beyond, I could use openDNS, this has some limited free options.
I would suggest further investigation with dnsmasq as this would block
example.com.
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.3|GNOME 3.20.2|4.4.104-39-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Then how do they block Google for a whole country (for example)? Or censor another website (with all its subdomains)?
See how important it is to explain your goal and not just pick some step and ask about that, believing that all other conditions are miraculous understood by others?
The original question seems quite clear to me: It is in the title of the thread. Is it ambiguous?
I want to block LAN hosts from accessing a WAN host.
Using wicked or Network Manager?
wicked
…dnsmasq…
I know nothing about this. Is a solution which blocks/fakes the resolving of the name to IP address? If yes - that won’t work as the user would still be able to connect directly by IP address as mentioned above.
Well, ask them. It is not that easy as those who slip around it can tell you.
In any case they will not block google.com or whatever, but IP addresses (ranges). And then they have to care for proxies, etc. No it is not that easy.
One does not connect to a host name. One connects to an IP address, that can be represented by one or more domain names for human convenience.
I understand.
Well then, is there any way to have some program (script) which:
- checks the IP addresses of the hostname upon boot and then periodically (e.g. every hour, or every N hours)
- upon detected change: to insert the new IP address in a text file and “inject” proper iptables blocking rule
?
Hi
But if the domain your trying to block has multiple servers, likewise as you add more rules your internet access will get slower and slower…
I would start with your hosts file first and see how that goes to achieve your goal esp if only looking a few domains.
Your far better to look at a whitelist rather than a blacklist, block everything and then allow, then your not chasing your tail adding this, checking that.
True.
I would start with your hosts file first and see how that goes to achieve your goal esp if only looking a few domains.
Seems to be the only option for now.
Your far better to look at a whitelist rather than a blacklist, block everything and then allow, then your not chasing your tail adding this, checking that.
Yeah, I thought about that too. Unfortunately creating a whitelist would be humanly impossible.
Thank you guys. I understand it is a difficult task.
On Sat 13 Jan 2018 10:06:02 PM CST, heyjoe wrote:
malcolmlewis;2851137 Wrote:
> Hi
> But if the domain your trying to block has multiple servers, likewise
> as you add more rules your internet access will get slower and
> slower…
True.
>
> I would start with your hosts file first and see how that goes to
> achieve your goal esp if only looking a few domains.
>
Seems to be the only option for now.
>
> Your far better to look at a whitelist rather than a blacklist, block
> everything and then allow, then your not chasing your tail adding
> this, checking that.
Yeah, I thought about that too. Unfortunately creating a whitelist would
be humanly impossible.
Thank you guys. I understand it is a difficult task.
Hi
So in your local /etc/hosts file you would add;
0.0.0.0 www.example.com
0.0.0.0 example.com
::0 www.example.com
::0 example.com
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.3|GNOME 3.20.2|4.4.104-39-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Yes. Thanks Malcolm.
Why is the ::0 necessary if 0.0.0.0 is there?
Hi
That’s for the ipv6 address…
For 99% of those involved in decisions about blocking Internet is synonym to WWW, so this can be done by deep packet inspection to look for host names in HTTP requests. Which of course stops working when you use HTTPS unless provider applies man-in-the-middle to decrypt SSL traffic.
Or they simply resolve host name to IP addresses and block these IP. Which leads to excellent DoS possibility as was demonstrated here half a year ago - blocked domain entered in its DNS list of public well known hosts IPs, including some government ones. Which were all blocked. And this method obviously punishes any shared web hosting where single IP is shared by multiple virtual hosts.
So (un-)fortunately there is no easy single way to do what you want. You need to decide for yourself what you actually want to achieve.
Or censor another website (with all its subdomains)?
This is example of thinking I mentioned - Internet equal WWW. So do I understand you correctly that you want to block HTTP traffic? Or you really mean any traffic using any protocol?
Yes, I know. The question is: why is it necessary if another line says “this host resolves to 0.0.0.0”. In other words - is it possible for a host to resolve to 0.0.0.0 and still have another IPv6 address which resolves to something different from ::0?
That.
I started this thread with the idea of creating a blacklist of known malicious or non-privacy respecting hosts (PRISMed) etc. But as I read the answers I understand that may be a stupid idea because those companies actually own so many domains that one can never really know who one connects to, i.e. the only answer may be TOR.