How to block access to a specific site

Method 1: The easiest way is to use the SafeDNS Internet filter with a free trial period.

Using this service, you can protect all users of your home network from unwanted information, advertising and forbidden content.

Select the allowed categories of sites (there are over sixty categories in total), create your own 'black' and 'white' lists and analyze which sites were tried to open. You can use the SafeDNS filter to block access to all devices on your home network or only to specific devices.

Here's an example of how to block To do this, we'll blacklist, and the service will automatically suggest adding additional domains that are recommended to accept for complex blocking.


Then, in the router's web interface, turn on the SafeDNS filter on the 'Internet safety' page and set the 'Default' profile for the specific device. Depending on the task, the SafeDNS filter can also be applied to all registered and unregistered devices.


After setting this, we recommend that you restart your router and then check access to the blocked site.

In some cases, you can block access not only to a single site but to an entire category. For example, to block Skype and other messengers, block the Chats & Messengers category.


You can find more information at 

Method 2: Blocking access to sites via DNS settings in the router's web interface.

TIP: This method will only block all hosts on the local network from accessing a site you specify. It cannot be applied to a specific host.

It is configured from the router's web interface. Go to the 'Internet Safety' menu to the 'DNS Configuration' tab. Click 'Add server'.

block site 1 en.jpg

In the 'DNS server address' field, you must enter any non-existent (free, unused) IP address from the private address range. It can be an IP address from another subnet, different from the Internet centre network. In our example, when requesting the site, the host will be given a non-existent address,, and therefore, the page will not open.

block site 2 en.jpg

block site 3 en.jpg

After this setting, check access to the blocked site.

NOTE: Important! Created static DNS records have higher priority over Internet filters.

Method 3: Blocking on the router. This method has a peculiarity - it will allow you to block access to the specified site of all hosts in the local network. It can not be used for a particular host.

The configuration is performed from the command-line interface (CLI) of your Keenetic router.

To block the site, we will use the ip host command:

(config)> ip host

 Usage template:

             host {domain} {address}

For example, if you want to block access to, run the commands:

(config)> ip host
Dns::Manager: Added static record for "", address
(config)> ip host
Dns::Manager: Added static record for "", address
(config)> system configuration save

The IP address must be any non-existent (free, unused) IP address in the range of private addresses. This can be an IP address from a subnet different from the router's network.

In our example, when you access, a non-existent address of will be returned to the host, and the page will not open. In Keenetic routers, you can add up to 64 static bindings of IP addresses to the domain name using the command ip host.
To remove the binding, use the same command but add the prefix no at the beginning. For example:

(config)> no ip host
Dns::Manager: Deleted record "", address
(config)> system configuration save


NOTE: Important! Created by the ip host command, static IP to domain binding records on the router have higher priority over Internet filters.

Method 4: Blocking the site with NextDNS service.

Like SafeDNS service, NextDNS supports 'Black' (Denylist) and 'White' (Allowlist) access lists. At the beginning of 2022, it was free if the number of DNS queries was less than 300 thousand per month:
To use it, create an address profile:


Add the specified DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) server addresses to the 'Internet safety' page of the web interface:


You can read more about it in the article DNS-over-TLS and DNS-over-HTTPS proxy servers for DNS requests encryption.

After that, you can add the names of the blocked sites in the Denylist section:


You can also add the DoT and DoH server addresses specified in the profile using these commands:

dns-proxy tls upstream 853 sni
system configuration save​

dns-proxy https upstream dnsm​
system configuration save​

Make sure that you have added it correctly:

show dns-proxy:
# ndnproxy statistics file

Total incoming requests: 184
Proxy requests sent: 167
Cache hits ratio: 0.092 (17)
Memory usage: 49.46K

DNS Servers

Ip Port R.Sent A.Rcvd NX.Rcvd Med.Resp Avg.Resp Rank 40500 167 157 2 48ms 51ms 4


Method 5: Blocking the site via Keenetic firewall rules.

The article 'Firewall' gives a detailed description of how to use the Firewall in Keenetic routers.

Various examples of how to use firewall rules can be found in the article 'Firewall rule examples'.

For instance, let's block access to the site for all LAN devices using firewall rules.

NOTE: Important! Domain names cannot be used in the Keenetic firewall settings (you cannot specify a domain or site character name), but only IP addresses. Therefore, you need to determine the IP address(es) of the website you want to block before configuring the rules. A website may have multiple IP addresses, in which case you must block access to all IP addresses. Websites can also operate not only with HTTP but also with HTTPS. We recommend blocking traffic to the site using both protocols.

The first way to know the IP address of the site is to use a special command in the command line of the operating system:

nslookup <website_name>

In our example, we will run the command nslookup


The result of the above command will show the IP addresses where the website is located.

The second way to find out the site's IP address is to use one of the special online services (for example, In a special line, you will need to specify the site's name you are interested in and press the 'Check' button. After that, you will see all the IP addresses where the site works. For example:



Now that you know the IP addresses of the website, you can start creating firewall rules.

In this example, the site uses 4 IP addresses, so let's create 8 rules for the 'Home segment' LAN interface to block traffic by protocols: 4 for HTTP and 4 for HTTPS.
Create a 'Deny' rule where we specify the destination IP address (the site's IP address to be denied access to) and the protocol type (HTTP and HTTPS). We are blocking access to the site for all devices on the local network, but if you need to deny access only to a particular host, specify its IP address in the 'Source IP' field when creating the rule.



After creating the rules, test access to the site.

This method is not always convenient. For example, to block Skype at the network level, you need to know all the IP addresses it uses. Finding them all and keeping your list up to date is a challenge. Many websites also use several addresses to download their data to increase productivity.
We would recommend that you use the SafeDNS Internet filter to block such sites.

TIP: Note:

If you've been to sites you've changed settings for before, then DNS server responses are likely to be in the browser cache, the DNS client on the local computer, or the DNS caching on the router.

For the quickest application of changes in settings, you may need to restart the browser. In most cases, this is enough.

If there are no changes after restarting the browser, run the ipconfig /flushdns command on the local computer, which will clear the Windows DNS client cache.

In even rarer cases, you may need to clear the DNS cache on the router (just restart the router).


Was this article helpful?

70 out of 120 found this helpful