Email: zach@zfadd.is
Social: @zacharius@refactorcamp.org
Git: github.com | git.zfadd.is

ZacharyFaddis

June 26, 2018, 6:50 p.m.

Block Websites On Your Local Network with DNS, or Why I Can’t Trust Myself

The Impetus

I am becoming increasingly convinced that, despite the appearance of unity owing to fact we occupy the same meat bag, my mind is actually composed of at least two fairly distinct entities.

The first is a somewhat rational and evolved, adult human being. He is capable of complex problem solving and long term planning. He has hopes and dreams that extend far into the future. This is the person I try to present to the world and to describe whenever someone asks about me. Unfortunately, he only seems to come to the forefront whenever a crises necessitates him or when I am trying to project my intentions into the future.

The Other is a much more primordial creature. He exists as a an emergent property of a million different sub processes within my psyche, all vying for expression in the physical world. He enjoys passive consumption and effortless entertainment. The internet, that fire hose of easily consumable information, is his heroin. This is the animal that is in control far too often. Who’s insane and never ending desires I spend much of my time fulfilling, with the far-fetched hope that once I do this thing, then I will finally be able to get some real work done.

For a long time I thought that my beating him, this Other me, was merely a matter of brute will. That if I wasn’t winning it was because I lacked the mental fortitude and just needed to try harder. That I could reap the benefits of technology and our modern world without being tempted by its pitfalls, many engineered specifically to titillate our Others.

I have since realized this makes about as much sense as preparing to hunt a bear by signing up to a gym. We have not triumphed over the natural world because we are stronger, faster, or possess much any physical advantage. Instead we have outwitted our opponents, being proactive when they could only ever be reactive. We should apply this same thinking to our inner animals.

To this end I have begun redesigning my life to anticipate and remove the many temptations that would cause my Other to veer us from my intended course. I have removed my TV, uninstalled Steam, and canceled my Netflix subscription. I have also started to implement commitment devices to try and force my Other to act in my long term interests even when I’m not in control. The essential goal is to make it as convenient as possible to act in accord with my goals and values, and inconvenient as possible to do the opposite.

A further step I’m taking, and what the rest of this post will be about, is using DNS to block certain websites from your local network.

The Process

Prereqs and Basic Knowledge

DNS stands for Domain Name Resolution, which is a networking protocol to transform the domain name you type in your browser into an IP address which your computer can use to connect you to a web server. By routing all DNS traffic through a DNS server you maintain, you can set up rules which will makes websites resolve to the wrong IP address. We will be using a software package which implements DNS, called Bind9

Any computer can be turned into a server. For our purposes you will want your server to be a computer meant to always be on, i.e a desktop, because if it gets turned off or disconnected from your network then DNS will stop working for your entire LAN(Local Area Network). This tutorial will be done assuming your computer is running Debian 9. It should be the same for any recent Debian or Ubuntu distribution. It should also work for other Linux distributions, except some files may be named differently and the package manager is likely something else. If your running a Windows or Mac OS, I have no advice for you other than to install a Linux distribution. The mere fact that you’re willing to read an article about DNS suggests that you would likely benefit from it.

Installing and configuring DNS Server

The first step is to install Bind9. To do this you simply run the following command as root:

apt-get install bind9

After this is done we will want to open /etc/bind/named.conf.options in your preferred text editor and edit it to look like the following. Everything will be explained after.

acl goodclients {
    localnets;
    localhost;
};


options {
	directory "/var/cache/bind";

	recursion yes;
	allow-query{ goodclients; };


	 forwarders {
		8.8.8.8;
		8.8.4.4;
	 };

	 forward only;

	dnssec-enable yes;
	dnssec-validation yes;

	auth-nxdomain no;    
	listen-on-v6 { any; };
};

The acl goodclients group is defining a group of machines. In our case we put our machine and machines on our local subnet. The when we give our group to allow-query we are telling the DNS server to only accept connections from those machines.

We set recursion to yes to allow our machine to recursively talk to other machines.

In forwarders we give the IP addresses of two of google’s DNS servers. These will be the machines we hand off dns requests to if that aren’t part of the small subset of domains we care about. Any DNS server will do, I choose Google’s for their popularity/reliability.

The next step is to edit /etc/bind/named.conf.options:

zone "youtube.com" {
     type master;
     file "/etc/bind/db.block";
};

zone "reddit.com" {
     type master;
     file "/etc/bind/db.block";
};

For each website that you want to block you will have to create a zone entry, with the website you want blocked in parentheses after zone. Here I called the forward zone file db.block, which we will create in just a minute, but the name is arbitrary and could be anything you want. This will make your computer the authoritative source for these websites.

Now we have only to create and configure our forward zone file.

To do this we will use db.local as a template.

cp /etc/bind/db.local /etc/bind/db.block

Then we will edit db.block to look like the following

;
; BIND data file for local blocked website
;
$TTL	604800
@	IN	SOA	localhost. root.localhost. (
			      2		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;name servers
@	IN	NS	localhost.

;A records
@	IN	A	174.138.40.111

The only thing we’re adding to the file is a name server record and an A, or authoritative, record. The NS record lets it know that were the authoritative source and the A tells it where to find the website. In this case I provided the IP address of the server that houses this website. In the majority of cases though, this won’t matter much because as long as the website you want to go to has https then the browser will know the certificate is wrong and will instead serve us a warning page.

Once you have all this the only thing left to do on your server is check your configuration and restart the dns service.

named-checkconf
service bind9 restart

Configure your network

The last thing you have to do to make this work is to change your router settings. Namely, you will need to do two things.

  1. Give your DNS server a fixed IP on the network, so that it doesn’t change every time it’s DHCP given IP expires
  2. Change your DNS settings so that it tells all machines it connects with to use your new DNS server instead of your ISP’s DNS

All routers are different, so I can’t give you specific instructions on how to do this, but it will be through a GUI instead of editing config files. It is also possible that the router doesn’t let you do one or both of these things. This is especially likely if your router was given to you by your ISP. If this is the case you will have a much harder time because you will have to configure the DNS of every machine where you want the domains blocked.

Further Reading

Digital Ocean - An Introduction To Managing DNS

This is the best DNS resource I’ve been able to find on the internet. Much of the information was taken from this website, I just condensed it and presented it as a straightforward tutorial to solve a specific problem.

Final Thoughts

The main point of doing this is to make it inconvenient to get to websites that waste your time. It will likely not be effective against determined employees or children who want to access something. For one, they could just figure out the IPs from an outside network and then type those into the browser. Although, the process may be a fun and useful exercise as it will force them, and likely you, to learn about computer networking as you both engage in increasingly complex methods to circumvent one another.

This is the first article of my new blog. It has what I consider to be the minimum viable interestingness needed to be worthy of publishing. Hopefully future posts will showcase more interesting projects, although I do like the format of interspersing technical projects with my own musings. It shows the human ends which the technical means accomplishes. Maybe that will be my niche!

Anyway please email zach@zfadd.is if you have any questions, comments, or feedback. I’d love to hear it. The comment system should be up soon.

Zacharius

June 26, 2018, 6:51 p.m.

First!