Blocking specific URL access (like youtube) for specific devices on LAN

A fairly standard parenting question, and part of me struggles that in 2024 there isn’t a turnkey solution I can just stumble over to do this. But hey. I found this:

and tried it but it didn’t work, and I figure that’s because I have dnsmasq indeed but only set up as a dhcp server not a DNS, we have he Knot Resolver or that.

So I’m wondering (given pakon does not work for me at all alas - just hangs - and I am still hoping to upgrade my router when I have time and find it working) if there’s a way to configure kresd and the firewall to achieve this outcome. Essentially, I want in its simplest from say: No access to youtube from the device with a given IP or MAC …

Are you sure that the users won’t be “clever” enough to set as their DNS, for example? (or dns-over-https even)

You can work around that with setting a firewall rule that drops any DNS request (so accessing IP:<57-58>) with IPs other than the one of your DNS, right? This is at least what is adviced for working with pihole to avoid “DNS bleeding”, if I remember correctly.

Yes, such setups exist. I’m not aware of anyone connecting Knot Resolver with firewall so far.

Fairly sure for now (too young), but it would be even better if it was blocked at the DNS request level passing through the router or even by specifying the known IPs to which the names resolve etc.

If you’re referring to configuring kresd liek the tutorial above configures dnsmasq, then I’d love to know how. To ask kresd to not resolved given manes when the qrequest originates from given IP or MAC.

Everything has a workaround with enough smarts and effort IMGHO, not least as from a given age if the kids have a SIM using the 4G or 5G network and not the LAN. BUt what I’m hoping for is a solution in these bridging years, and remain admittedly dismayed and surprised that there isn’t a turnkey solution for parents in htis space yet in the world that I haven’t stumbled upon (and is either free, or eminntly afffordable and worth investing in I guess).

I’d love some specific examples of configs either using Luci or uci or editing config files (in that order of simplicity preferences). Either way I keep explicit notes on any such configs ;-).

Based on IP it is possible, though not easy perhaps.

So as a quick 50% solution, install adblock and put all offensive stuff in the denay list. Then use Firefox with doh to access such sites, side stepping the adblocker (might require to disable dns high-jacking in adblock).

Yes this completely misses the ‘for specific devices on LAN’ requirement, hence 50% solution…

1 Like

Try this Looking Block specific websites by domain (not IP) - #4 by xsys
Additionally, you may need to have kids devices on different vlan than your device, in order to apply the YouTube filtering only on kids devices

Indeed that is the challenge. Alas upskilling on vlans is another whole chapter. I mean I’ve been meaning to, but not done yet. And this is not a bad catalyst, throwing the first question out: is it possible from a given WAP that anyone in the house can use, to ensure that devices with a particular MAC or IP address (once assigned by DHCP) are on one vlan while everyone else is on another? Lots to learn here, but is that even a sensible question/possibility?

If you will attach one wifi network to VLAN, all devices connected to that wifi network will be part of that VLAN.
For VLAN, you can set up PiHole in LXC container and set it for that VLAN as DNS, or choose some DNS with site blocking possibility (AdGuard, Cloudfare?).
This all is due to, as I can remember, that AdBlock cannot be set to work/not work only for one VLAN. At least it was like that few years ago.

But remember, that children are smart and they will find some way how to bypass your effort :smiley:

That might be the goal (and/or likely outcome) of that exercise, to make the kids get creative :wink: but it should buy some time for their media judgement capabilities to develop…