mia wrote, On 10/18/13 16:33:
If you're handling DHCP for all of the traffic for your site, why not
just set up a dns server, point your dhcp clients to this DNS server
and create an authoritative zone for facebook.com that points to
somewhere other than facebook?
Running your own own DNS resolver is the best solution to deny the whole
network facebook access. With Unbound this is simple:
# This will block facebook.com and all subdomains.
local-zone: "facebook.com" redirect
local-data: "facebook.com A 127.0.0.1"
The more savvy users could get around this altering their dns servers
manually which you can stop blocking DNS traffic out of your network,
this has the added bonus of cutting down bandwidth out of your network.
Exactly!
If they get really sneaky and try to put host entries in for facebook,
you can do as you've been doing, blocking IPs, and maybe creat a
script that does an hourly lookup of all facebook IPs and having it
update your pf config and then reloading pf.
If it gets to this point, I'd say they should lose their network
privileges. ;-) Next thing you know they will be using a proxy server to
circumvent your IP block. There's always a way around.
