How to block access to a specific site

Method 1: The easiest way is to use the SafeDNS Internet filter. With the SafeDNS filter, you can block access for all devices on your home network as well as for certain devices on your home network.

Let's block the youtube.com website as an example. Add the youtube.com domain to your blacklist. When you add a domain, sites that use the YouTube service will be automatically added.

safedns-10.png

Then, in the router's web configurator, turn on the SafeDNS filter on the 'Internet safety' page and set the 'Default' profile for the specific device. Depending on the task, the SafeDNS filter can also be applied to all registered and unregistered devices.

safedns-05.png

After this setting, we recommend that you restart your router and then check access to the blocked site.

In some cases, you can block access not only to a single site, but to an entire category. For example, to block Skype and other messengers, block the Chats & Messengers category.

You can find more information on https://www.safedns.com/en/faq/

Method 2. Blocking on a router. This method has a peculiarity - it will allow you to block access of all hosts in the local network to the specified site. It can not be used for a particular host.

Configuration is performed from the command line interface (CLI) of your Keenetic router.

To block the site we will use the ip host command ip host

(config)> ip host

 Usage template:

             host {domain} {address}


For example, if you want to block access to youtube.com, run commands:

(config)> ip host youtube.com 10.10.10.5
Dns::Manager: Added static record for "youtube.com", address 10.10.10.5.
(config)> ip host www.youtube.com 10.10.10.5
Dns::Manager: Added static record for "www.youtube.com", address 10.10.10.5.
(config)> system configuration save


The IP address must be any non-existent (free, unused) IP address in the range of private addresses. This can be an IP address from a different subnet than the router's network.

In our example, when you access youtube.com, a non-existent address of 10.10.10.5 will be returned to the host and the page will not open. In Keenetic routers you can add up to 64 static bindings of IP-addresses to the domain name using the command ip host.
To remove the binding, use the same command but add the prefix no at the beginning. For example:

(config)> no ip host youtube.com 10.10.10.5
Dns::Manager: Deleted record "youtube.com", address 10.10.10.5.
(config)> system configuration save

 

NOTE: Important! Created by the ip host comand static IP to domain binding records on the router have higher priority over Internet filters.

Method 3. Blocking the site via Keenetic firewall rules.

Detailed description of how to use the Firewall in Keenetic routers is given in the article 'Firewall'.

Various examples of how to use firewall rules can be found in the article 'Firewall rule examples'.

For instance, let's block access to the Love.Ru social networking site for all LAN devices using firewall rules.

NOTE: Important! Domain names cannot be used in the Keenetic firewall settings (you cannot specify a domain or site character name), but only IP addresses. Therefore, you need to find out the IP address(es) of the website you want to block before configuring the rules. A website may have multiple IP addresses, in which case you must block access to all IP addresses. Websites can also operate not only with HTTP, but also with HTTPS. We recommend blocking traffic to the site using both protocols.

The first way to know the IP-address of the site is to use a special command in the command line of the operating system:

nslookup <website_name>


In our example, we will run the command nslookup love.ru

nslookup-01-en.png

The result of the above command will show the IP addresses where the website is located.

The second way to find out the IP address of the site is to use one of the special online services (for example, 2ip.io). In a special line you will need to specify the name of the site you are interested in and press the 'Check' button. After that you will see all the IP-addresses where the site works. For example:

nslookup-02-en.png

Now that you know the IP addresses of the website, you can start creating firewall rules.

In this example, the site uses 4 IP addresses, so let's create 8 rules for the 'Home segment' LAN interface to block traffic by protocols: 4 for HTTP and 4 for HTTPS.
Create a 'Deny' rule where we specify the destination IP address (the IP address of the site to be denied access to) and the protocol type (HTTP and HTTPS). We are blocking access to the site for all devices on the local network, but if you need to deny access only to a particular host, specify its IP address in the 'Source IP' field when creating the rule.

fw-01-en.png

fw-02-en.png

After creating the rules, test access to the site.

This method is not always convenient. For example, to block Skype at the network level, you need to know all the IP addresses it uses. Finding them all and keeping your list up to date is a challenge. Many websites also use several different addresses to download their data in order to increase productivity.

TIP: Note:

If you've been to sites you've changed settings for before, then DNS server responses are likely to be in the browser cache, the DNS client on the local computer, or the DNS caching on the router.

For the quickest applying of changes in settings you may need to restart the browser. In most cases this is enough.

If there are no changes after restarting the browser, run the ipconfig /flushdns command on the local computer, which will clear the Windows DNS client cache.

In even rarer cases you may need to clear the DNS cache on the router (just restart the router).

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.