Am Fri, 18 Oct 2013 17:24:52 -0700 schrieb Clint Pachl <pa...@ecentryx.com>:
Hi Clint! > mia wrote, On 10/18/13 16:33: > > If you're handling DHCP for all of the traffic for your site, why > > not just set up a dns server, point your dhcp clients to this DNS > > server and create an authoritative zone for facebook.com that > > points to somewhere other than facebook? > > Running your own own DNS resolver is the best solution to deny the > whole network facebook access. With Unbound this is simple: > > # This will block facebook.com and all subdomains. > local-zone: "facebook.com" redirect > local-data: "facebook.com A 127.0.0.1" > Being just a 'Joe Average'-user I haven't found the time to investigate if unbound is a gain for me. But I take your advice as a request to myself that I should get my priorities right... setting up a separate DNS-server is a possible way to go anyway. > > The more savvy users could get around this altering their dns > > servers manually which you can stop blocking DNS traffic out of > > your network, this has the added bonus of cutting down bandwidth > > out of your network. > Exactly! > Yep - I can only salute to your experiences and insight of 'real' networks. But for me this is 'only' a family affair of mostly grown-ups: If my kids feel I am too restrictive they come up with reasonable suggestions (I know they are really special!). I don't want them to avoid FB as they receive necessary infos of their universities: I just want to prevent FB to get into touch with my net and our private data! BIG difference! > > If they get really sneaky and try to put host entries in for > > facebook, you can do as you've been doing, blocking IPs, and maybe > > creat a script that does an hourly lookup of all facebook IPs and > > having it update your pf config and then reloading pf. > If it gets to this point, I'd say they should lose their network > privileges. ;-) Next thing you know they will be using a proxy server > to circumvent your IP block. There's always a way around. > You're right - if anyone of my family _really_ wants to connect to FB I will not be able to prevent it. This is why I try to persuade them of MY reservations towards any 'social network' and the news lately were really supportive... :-) Lucky me that they trust me to find a solution to THEIR requirements as they have understood why I need to provide a certain level of confidentiality towards my customers. Anyway: A big THANK YOU to you too for sharing your experience! Have a nice Sunday! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0