On Fri, Oct 18, 2013 at 8:24 PM, Clint Pachl <pa...@ecentryx.com> wrote:
> Running your own own DNS resolver is the best solution to deny the whole
> network facebook access. With Unbound this is simple:
>
> # This will block facebook.com and all subdomains.
> local-zone: "facebook.com" redirect
> local-data: "facebook.com A 127.0.0.1"
I use:
local-zone: "facebook.com." refuse
local-zone: "fb.me." refuse
Of course if the client system has secondary DNS servers configured
AND has access to them Unbound's refusal wont help much. But that is
simply stopped at the firewall (no outbound DNS except via the
server).
Using refuse vs redirect could also be useful if you want guests to be
able to access the refused domains - have the DHCP server assign the
guest pool a secondary public DNS and allow that pool to pass outbound
DNS to the secondary servers.
Chris
