DNS Whitelist Only

Question

I want to set up a router to block the whole of the internet except for user-specified domains.

Similar questions have been asked here (like this), but they're asked by people who are aiming to manually implement things that I don't understand. I'm just a layman and I'm not anywhere near equipped to do that. OpenDNS has a service like this, but in order to access it, you have to have a "Home VIP" account which costs $20/year, and you can only whitelist up to 50 sites.

The two main drawbacks of the OpenDNS route are that it costs money and that the limit on the number of sites you can whitelist is fairly low. I would prefer 100+.

Does anybody know of a service that can provide this functionality, or something close to it?

I don't mean to be mean here, "I'm just a layman and I'm not anywhere near equipped to do that." pretty much means most of the answers you'd get here is out of the scope of the site - have a quick look at the [faq] to get what I mean. I'd also consider *what is free to me* - would you accept a simple solution you run yourself (untangle is worth a look), or if you want to make your current gear do this. There's *always* a tradeoff and its useful to ask yourself what that tradeoff is, and what skills and resources you're willing to put into it - as per @wesleydavid's answer. — Journeyman Geek, Mar 31 '13 at 06:31
This is normally done through the use of a web proxy server such as squid, not via DNS hacks. — Michael Hampton, Mar 31 '13 at 15:52
I would just use http://www.statdns.com/api/ to do DNS queries through HTTP and circumvent your system. — Ryan Ries, Mar 31 '13 at 16:10

score 4 · Answer 1 · edited Jun 11 '20 at 10:02

So you want:

Something that enables you to only allow white-list based DNS resolution to 100 or more domains.
Something that's point-n-click simple, or nearly so.
Has to be free.

The answer is, in a word: NOPE.

Furthermore, know that using DNS as a method of locking down users will require you to restrict all DNS queries leaving your network. Queries will need to be only allowed out of your firewall if they are aimed at approved DNS servers. Doubly furthermore, users can simply edit their hosts file or use some kind of internal DNS server to circumvent that as well.

"My users aren't technical. They won't do that."

They might not be technical, but never underestimate the mental stamina of a person intent on checking their fantasy football brackets. Or porn. It's always porn. People go from "I FORGOT HOW TO COMPUTER" to "I'm haxen ur boxxen lol" before the workweek is out to get what they want.

"I've locked everything down and no one can mess with any setting that pertains to name resolution."

Well okay then. Make sure you attempt to falsify that statement. Preferably using a test subject under the age of 16 who wants to surf a torrent site.

Oh noes what do I do?!

In a choice between free, highly functional, and Fischer Price easy, you can have two. Maybe. My recommendation is to set up your own internal DNS server and make your own whitelist. Too technical? What you're asking is, by nature technical. Thus you either exchange currency for it or the sweat of your brow.

Parting notes: Make sure to block all outbound DNS queries except from that server you set up. Otherwise, stick to OpenDNS and see if you can raise the whitelist limit. $20 isn't much for the whole year. You could probably find that much change on the street. Hint: Check the sofas at shoe stores. Not that I've done that or anything.

Okay I have.

That relies on the assumption users have root on their individual devices. — DMCoding, Nov 27 '18 at 07:58

DNS Whitelist Only

1 Answers1

Oh noes what do I do?!