Am Fri, 18 Oct 2013 17:24:52 -0700
schrieb Clint Pachl <pa...@ecentryx.com>:

Hi Clint!

> mia wrote, On 10/18/13 16:33:
> > If you're handling DHCP for all of the traffic for your site, why
> > not just set up a dns server, point your dhcp clients to this DNS
> > server and create an authoritative zone for facebook.com that
> > points to somewhere other than facebook?
> 
> Running your own own DNS resolver is the best solution to deny the
> whole network facebook access. With Unbound this is simple:
> 
> # This will block facebook.com and all subdomains.
> local-zone: "facebook.com" redirect
> local-data: "facebook.com A 127.0.0.1"
> 

Being just a 'Joe Average'-user I haven't found the time to investigate
if unbound is a gain for me. But I take your advice as a request to
myself that I should get my priorities right... setting up a separate
DNS-server is a possible way to go anyway.

> > The more savvy users could get around this altering their dns
> > servers manually which you can stop blocking DNS traffic out of
> > your network, this has the added bonus of cutting down bandwidth
> > out of your network.
> Exactly!
> 
Yep - I can only salute to your experiences and insight of 'real'
networks. But for me this is 'only' a family affair of mostly
grown-ups: If my kids feel I am too restrictive they come up with
reasonable suggestions (I know they are really special!). I don't want
them to avoid FB as they receive necessary infos of their universities:
I just want to prevent FB to get into touch with my net and our private
data! BIG difference!
 
> > If they get really sneaky and try to put host entries in for
> > facebook, you can do as you've been doing, blocking IPs, and maybe
> > creat a script that does an hourly lookup of all facebook IPs and
> > having it update your pf config and then reloading pf.
> If it gets to this point, I'd say they should lose their network 
> privileges. ;-) Next thing you know they will be using a proxy server
> to circumvent your IP block. There's always a way around.
> 

You're right - if anyone of my family _really_ wants to connect to FB I
will not be able to prevent it. This is why I try to persuade them of
MY reservations towards any 'social network' and the news lately were
really supportive... :-)
Lucky me that they trust me to find a solution to THEIR requirements as
they have understood why I need to provide a certain level of
confidentiality towards my customers.

Anyway: A big THANK YOU to you too for sharing your experience!

Have a nice Sunday!

Regards,
STEFAN

Mit freundlichen Grüßen,

STEFAN WOLLNY

Regulatory Reporting Consultancy
Tel.: +49 (0) 177 655 7875
Fax.: +49 (0) 3212 655 7875
Mail: ste...@wollny.de
GnuPG-Key ID: 0x9C26F1D0

Reply via email to