GD Incorporation wrote:
> Dear Lee
> I did like what you wrote below. I went to whois.com and find info on
> facebook.com domain and found that they used 4 dns servers. I was thinking
> to block the DNS servers thinking that all access that goes through that
> server will be rejected. But you are right if the DNS Servers are hosted to
> important business oriented servers such as GoDaddy, then it will be
> I hope m0n0wall have a feature to block a certain domain all at once.
> Now the next question, since the m0n0wall does not seem to be able to block
> one whole domain, if I put a real web portal such as dansguardian to filter
> what websites can be accessed, shoud I put it between ADSL modem and
> Firewall or should I put it behind firewall?
You are missing the point. You are trying to keep people out of a strip
club by hiding the phone book. And badly as well. The client PC does a
DNS request to m0n0wall, as that is the DNS server for the client PC.
Assuming you do not have www.facebook.com locally, m0n0wall will do a
request to the ISP DNS server. They in turn will look at an
authoritative name server, and eventually that will look at the facebook
server. But the client PC only ever looks to m0n0wall for name resolution.
What you need to block are IP addresses. If you ping facebook.com you
will get something close to 220.127.116.11, which was different from the
last time I pinged it. If you do an 'nslookup 18.104.22.168' you will
see it is www-10-03-ash1.facebook.com, or part of a cluster. If you do
a 'whois 22.214.171.124' you get;
OrgName: Facebook, Inc.
Address: 156 University Ave, 3rd floor
City: Palo Alto
NetRange: 126.96.36.199 - 188.8.131.52
NetType: Direct Assignment
The important part is the CIDR whis is the netblock for all of facebook.
Blocking 184.108.40.206/20 will block facebook right now. It will not
block them if they move, and it may block other stuff for some. If you
do that with my company website you get;
OrgName: GoDaddy.com, Inc.
Address: 14455 N Hayden Road
Address: Suite 226
NetRange: 220.127.116.11 - 18.104.22.168
NetType: Direct Allocation
I do not work for GoDaddy.
So, yes you can do this quick and dirty in m0n0wall. To do it right,
you need a web filter of some kind.