Solved block youtube unbound

Rhadamanthys

Member

Reaction score: 12
Messages: 26

Searching this forum I've seen a number of ways to block youtube using ubound DNS. Problem is, it seems the methods are outdated. When I try the "local-zone "something" static" thing, I receive a syntax error upon trying restart the service. I'm on FreeBSD 11 and using dns/unbound. Can someone point me the right syntax to achieve this? Thank your for your time. Sorry about the English, not my primary language.
 

OJ

Daemon

Reaction score: 290
Messages: 1,087

I suggest you just use your /etc/hosts file. Like this:
Code:
127.0.0.1 youtube.com
For whole lan results use a hosts file with dnsmasq in your router.
 

getopt

Aspiring Daemon

Reaction score: 352
Messages: 584

If Unbound is used I'd not use /etc/hosts.

Instead use local-zone entries in unbound.conf for a few entries or a separated include file which can hold ten thousends of entries without penaly performance.

Valid local-zone definition for blocking the complete domain
Code:
local-zone: "youtube.com" static
Search for "local-zone" in unbound.conf(5).

If this does not work post your unbound.conf for a review.
 

obsigna

Aspiring Daemon

Reaction score: 531
Messages: 909

As getopt said, use the following directive local-zone: "youtube.com" static. As an additional note, this needs to be placed on a line BEFORE any forwarder directives, like forward-zone: or include: /var/unbound/forward.conf. You want also to deny any traffic on port 53 from your LAN to the internet, so all clients are forced to use your unbound DNS server.

ipfw example:
ipfw add 1000 deny ip from not me to any dst-port 25,53 out xmit $WAN
 

ronaldlees

Aspiring Daemon

Reaction score: 309
Messages: 733

Getopt and obsigna gave good information about using unbound. In this case, their suggestion is to block the whole Google domain (i.e. you won't have Google Mail, Google search, etc). This is all caused by the unfortunate fact that on Youtube, Google is using DNS as a video locator service that is quite fine grained. So, there are "pseudo" GUIDs associated with DNS names that need to be resolved in order to view Youtube videos. IMO if you take a sample of twenty videos, likely each of them will require the resolution of an additional domain name, with a "psuedo" guid style naming scheme. That's been my experience. I don't know if the guids refer to servers or videos, but I have yet to find a video url that didn't have a unique domain name, maybe because I don't view that many videos.

Anyway, about the only remedy is a complete domain block, or a store-and-firewall DNS sort of technique, keeping only the desired subdomains in the cache. I don't think the builders of DNS meant for it to work at the file level, but rather at the server level. :(

Again, I'm not sure which of those (server level/ file level) it is for the videos, cause Google has a lot of servers. If I'd bother to look at the source, I could tell. It's real fine-grained though, so a PITA to deal with. The average computer user pays no attention whatsoever to DNS, but right now it's becoming something it wasn't before ...
 

obsigna

Aspiring Daemon

Reaction score: 531
Messages: 909

Getopt and obsigna gave good information about using unbound. In this case, their suggestion is to block the whole Google domain (i.e. you won't have Google Mail, Google search, etc). ...
No, you're wrong, our suggestion does take care only for youtube.com and all of it's subdomains.
Google.com and all of it's subdomains continue working as usual:
Code:
root@aeonova:~ # drill youtube.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 24696
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; youtube.com.    IN    A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon May 22 15:03:37 2017
;; MSG SIZE  rcvd: 29
Code:
root@aeonova:~ # drill mail.google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 38577
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; mail.google.com.    IN    A

;; ANSWER SECTION:
mail.google.com.    604800    IN    CNAME    googlemail.l.google.com.
googlemail.l.google.com.    300    IN    A    74.125.69.19
googlemail.l.google.com.    300    IN    A    74.125.69.17
googlemail.l.google.com.    300    IN    A    74.125.69.18
googlemail.l.google.com.    300    IN    A    74.125.69.83

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 285 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon May 22 15:03:55 2017
;; MSG SIZE  rcvd: 124
Code:
root@aeonova:~ # drill google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 47351
;; flags: qr rd ra ; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.    IN    A

;; ANSWER SECTION:
google.com.    300    IN    A    74.125.69.139
google.com.    300    IN    A    74.125.69.113
google.com.    300    IN    A    74.125.69.100
google.com.    300    IN    A    74.125.69.102
google.com.    300    IN    A    74.125.69.138
google.com.    300    IN    A    74.125.69.101

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 27 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon May 22 15:04:30 2017
;; MSG SIZE  rcvd: 124
Code:
root@aeonova:~ # drill www.google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7249
;; flags: qr rd ra ; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.google.com.    IN    A

;; ANSWER SECTION:
www.google.com.    300    IN    A    74.125.69.99
www.google.com.    300    IN    A    74.125.69.105
www.google.com.    300    IN    A    74.125.69.147
www.google.com.    300    IN    A    74.125.69.103
www.google.com.    300    IN    A    74.125.69.104
www.google.com.    300    IN    A    74.125.69.106

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 27 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon May 22 15:04:36 2017
;; MSG SIZE  rcvd: 128
 
Top