2

I want to prevent my daughter from accessing YouTube while she's attending school. So I was thinking to add protections in iptables. Unfortunately, when she goes to YouTube, the DNS resolves to IP addresses which reverse lookup to 1e100.net (which is owned by Google, no worries there,) so... a reverse lookup block is not possible or is it?

What other way do I have at my disposal to block such accesses?

Are the 1e100.net gateways (load balancers) to all the Google services or is each computer specific to one service? (i.e. if I block that specific IP address, would I also be blocking say Google Sheets, Google Translation, etc.?)

I've also blocked the DNS, but obviously if the computer keeps its cache, my server can't prevent connection attempts to old IPs cached on my daughter's computer.

One thing I tried without much success:

/sbin/iptables -A daughter -i eth1 -m string --string "youtube.com" --algo bm -j REJECT
/sbin/iptables -A daughter -i eth1 -m string --hex-string "|07|youtube|03|com" --algo bm -j REJECT

These rules block requests with SNI and DNS requests to get any youtube.com IP address.

Alexis Wilke
  • 862
  • 5
  • 19
  • There is no generic "firewall". It is unknown what your specific one can do. It is unknown what other options are within your reach if your specific firewall is not suitable for this task. Therefore the question cannot be answered based on the current information. For example: would it be possible to use some solution with (limited) DPI which can extract the target domain from the request and block based on this. Or would using an explicit local proxy be possible. Or installing some software on the (unknown) device of your daughter ... – Steffen Ullrich Nov 10 '20 at 21:58
  • @SteffenUllrich I made some updates. My server is Ubuntu 18.04 at the moment. Obviously, all accesses use HTTPS, so parsing those packets is not going to do much good. – Alexis Wilke Nov 10 '20 at 22:07
  • You could for example use an explicit proxy or even a transparent proxy to block the connections. Explicit proxy is easier, but with a transparent one you could filter based on the ClientHello SNI. See https://wiki.squid-cache.org/Features/SslPeekAndSplice. Details on how to create a transparent proxy and configure it are off-topic though. But you could try serverfault.com if you run into problems. Or you could try to filter the SNI within iptables - https://github.com/Lochnair/xt_tls – Steffen Ullrich Nov 10 '20 at 22:12
  • Wouldn't the SNI be caught with my rule above? Is it included in all the requests? Could it be split between multiple packets? Couldn't it be changing from Youtube.com to 1e100.net once the main page is loaded? (i.e. if she keeps a page opened, it continues to function) Note that I tried with squid and it just blocks all HTTPS traffic (works fine with HTTP). – Alexis Wilke Nov 10 '20 at 22:30
  • Hm, good point. But Youtube might use QUIC (HTTP/3) which is UDP which might not be covered by your rules (which are shown out of any context). Have you checked that the specific traffic even passes through these rules? – Steffen Ullrich Nov 10 '20 at 22:51
  • 1
    "obviously if the computer keeps its cache..." those will go away, I see www.youtube.com as a CNAME to youtube-ui.l.google.com with a TTL of one day, and each youtube-ui.l.google.com with a TTL of 5 minutes. Not to mention that would be gone when she reboots. – Ángel Nov 10 '20 at 23:29
  • Rather than using a technical YouTube block, wouldn't it be preferable to have 'a talk' with her? If she is attending school (remotely due to Covid-19, I guess), she shouldn't have much opportunity to view videos during the class (unless the teacher directs them to watch certain videos, or they streamed the class via youtube). – Ángel Nov 10 '20 at 23:33
  • @Angel, we've tried the talk but I guess the distraction is just too strong. Yes. COVID. One idea was to direct his computer DNS to my server DNS and add fake IPs (like 127.0.0.1) for that domain. 5 min. would be good enough. The problem otherwise is that I only want to block those during the school day, not 24/7. – Alexis Wilke Nov 11 '20 at 00:53
  • @SteffenUllrich I've see quite a few hits on those two rules. The counters are going up. So it does catch some of the traffic, but somehow the website mostly works (which may be because she still has a window open, so opening a new window may fail, but the old ones not using "youtube.com" work). – Alexis Wilke Nov 11 '20 at 00:57
  • A short TTL would allow only blocking that for a few hours. There's something else going on – Ángel Nov 11 '20 at 22:18

2 Answers2

2

Attacking this problem at the DNS layer is going to be problematic... better to attack the problem at the application layer. Parental control software is designed specifically for this use case, and finding lists of software with reviews is easy. A good package will also handle nuances like blocking sites during school hours but permitting access after school.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Anything for a real server? Like you know, Linux? – Alexis Wilke Nov 10 '20 at 22:32
  • 1
    You could set up a proxy server like [Squid](https://www.howtoforge.com/filtering-https-traffic-with-squid) or [dansguardian](https://www.instructables.com/Set-up-web-content-filtering-in-4-steps-with-Ubunt/) and do content filtering, but that's likely to be an involved project. – gowenfawr Nov 10 '20 at 22:55
  • @AlexisWilke - make your mind up - are you talking about real servers or linux? :) – James Snell Nov 11 '20 at 00:53
1

TL;DR - you can't do it reliably via IP; but you can stop it using your own DNS.

The only way you can reliably do it by IP is to block google's entire infrastructure by ASN. Don't get me wrong, it's both fun and educational to see how many services and sites (like this one) don't work properly without the benevolence of the all-seeing googly-eye - but it's impractical if you want to get anything done.

It's no big deal to block any whole domain at the DNS request level, a block on youtube's domains directly would kill it as you can have your DNS server reply to a request for youtube.com with NXDOMAIN (or localhost or your server's IP).

A product like pihole is easy to set up and would take care of that in a VM easily, or if you want it the hard way, set up unbound and with cron job to add & remove the appropriate entries at the start and end of the day.

Then you just need to ensure that she's not bypassing your DNS server - so you'd need to firewall off outside DNS services, DNS-over-https, VPNs etc. She'll get an ugly certificate error when she hits the block, but it'll work.

James Snell
  • 888
  • 6
  • 8
  • Forcing the DNS should be easy with a DNAT/SNAT in the firewall which I can dynamically update at certain time in the day. However, I'm not too sure how DNS-over-https could be circumvented. I would imagine Chrome uses that already? – Alexis Wilke Nov 11 '20 at 01:08
  • 1
    You can usually turn it off in browsers (don't know about the youtube app though), but DoH is blocked using a variety of tools - Firefox will turn off it's DoH if it gets an NXDOMAIN for a specific DNS lookup IIRC, or you can use the enterprise tools, there's probably something similar for Chrome, and there are lists of DoH servers you can drop into iptables to block as well. 8.8.8.8 and 8.8.4.4 can be safely blocked by IP. – James Snell Nov 11 '20 at 01:18
  • The issue with using reverse-NAT to block is that's only IP4. So not something I recommend, personally. – James Snell Nov 11 '20 at 01:20
  • I don't think Chrome uses DoH, yet... You could still probably get NAT to work with IPv6 if really needed. Or just block anything that's not your DNS server. – multithr3at3d Nov 11 '20 at 14:22
  • 1
    For Firefox: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https and it explains the canary domain. – Patrick Mevzek Nov 11 '20 at 16:15
  • 1
    Chrome uses DoH already (see https://www.howtogeek.com/660088/how-to-enable-dns-over-https-in-google-chrome/ for example) but in fashion that seems far better to me than Firefox that decided to just hijack all local DNS configuration: in Chrome, when it detects you are using a nameserver that it knows has a DOH endpoint too it switches to DOH for that nameserver so in a way silently upgrading you to a secure connection, without hijacking your configuration. – Patrick Mevzek Nov 11 '20 at 16:16
  • Also besides DNS over HTTPS and over TLS that are standardized now, DNS over QUIC is also being worked on. I am pretty sure Chrome will switch to that as soon as possible if it did not already silently and experimentally did so. – Patrick Mevzek Nov 11 '20 at 16:17
  • @PatrickMevzek Yes, Chrome already uses QUIC against web servers that support that protocol. – Alexis Wilke Nov 11 '20 at 23:37
  • @AlexisWilke That is a given, my comment was around QUIC for DNS queries... (instead of HTTPS/TLS) – Patrick Mevzek Nov 12 '20 at 00:53