Git: |


June 26, 2018, 6:50 p.m.

Block Websites On Your Local Network with DNS, or Why I Can’t Trust Myself

The Impetus

I am becoming increasingly convinced that, despite the appearance of unity owing to fact we occupy the same meat bag, my mind is actually composed of at least two fairly distinct entities.

The first is a somewhat rational and evolved, adult human being. He is capable of complex problem solving and long term planning. He has hopes and dreams that extend far into the future. This is the person I try to present to the world and to describe whenever someone asks about me. Unfortunately, he only seems to come to the forefront whenever a crises necessitates him or when I am trying to project my intentions into the future.

The Other is a much more primordial creature. He exists as a an emergent property of a million different sub processes within my psyche, all vying for expression in the physical world. He enjoys passive consumption and effortless entertainment. The internet, that fire hose of easily consumable information, is his heroin. This is the animal that is in control far too often. Who’s insane and never ending desires I spend much of my time fulfilling, with the far-fetched hope that once I do this thing, then I will finally be able to get some real work done.

For a long time I thought that my beating him, this Other me, was merely a matter of brute will. That if I wasn’t winning it was because I lacked the mental fortitude and just needed to try harder. That I could reap the benefits of technology and our modern world without being tempted by its pitfalls, many engineered specifically to titillate our Others.

I have since realized this makes about as much sense as preparing to hunt a bear by signing up to a gym. We have not triumphed over the natural world because we are stronger, faster, or possess much any physical advantage. Instead we have outwitted our opponents, being proactive when they could only ever be reactive. We should apply this same thinking to our inner animals.

To this end I have begun redesigning my life to anticipate and remove the many temptations that would cause my Other to veer us from my intended course. I have removed my TV, uninstalled Steam, and canceled my Netflix subscription. I have also started to implement commitment devices to try and force my Other to act in my long term interests even when I’m not in control. The essential goal is to make it as convenient as possible to act in accord with my goals and values, and inconvenient as possible to do the opposite.

A further step I’m taking, and what the rest of this post will be about, is using DNS to block certain websites from your local network.

The Process

Prereqs and Basic Knowledge

DNS stands for Domain Name Resolution, which is a networking protocol to transform the domain name you type in your browser into an IP address which your computer can use to connect you to a web server. By routing all DNS traffic through a DNS server you maintain, you can set up rules which will makes websites resolve to the wrong IP address. We will be using a software package which implements DNS, called Bind9

Any computer can be turned into a server. For our purposes you will want your server to be a computer meant to always be on, i.e a desktop, because if it gets turned off or disconnected from your network then DNS will stop working for your entire LAN(Local Area Network). This tutorial will be done assuming your computer is running Debian 9. It should be the same for any recent Debian or Ubuntu distribution. It should also work for other Linux distributions, except some files may be named differently and the package manager is likely something else. If your running a Windows or Mac OS, I have no advice for you other than to install a Linux distribution. The mere fact that you’re willing to read an article about DNS suggests that you would likely benefit from it.

Installing and configuring DNS Server

The first step is to install Bind9. To do this you simply run the following command as root:

apt-get install bind9

After this is done we will want to open /etc/bind/named.conf.options in your preferred text editor and edit it to look like the following. Everything will be explained after.

acl goodclients {

options {
	directory "/var/cache/bind";

	recursion yes;
	allow-query{ goodclients; };

	 forwarders {;;

	 forward only;

	dnssec-enable yes;
	dnssec-validation yes;

	auth-nxdomain no;    
	listen-on-v6 { any; };

The acl goodclients group is defining a group of machines. In our case we put our machine and machines on our local subnet. The when we give our group to allow-query we are telling the DNS server to only accept connections from those machines.

We set recursion to yes to allow our machine to recursively talk to other machines.

In forwarders we give the IP addresses of two of google’s DNS servers. These will be the machines we hand off dns requests to if that aren’t part of the small subset of domains we care about. Any DNS server will do, I choose Google’s for their popularity/reliability.

The next step is to edit /etc/bind/named.conf.options:

zone "" {
     type master;
     file "/etc/bind/db.block";

zone "" {
     type master;
     file "/etc/bind/db.block";

For each website that you want to block you will have to create a zone entry, with the website you want blocked in parentheses after zone. Here I called the forward zone file db.block, which we will create in just a minute, but the name is arbitrary and could be anything you want. This will make your computer the authoritative source for these websites.

Now we have only to create and configure our forward zone file.

To do this we will use db.local as a template.

cp /etc/bind/db.local /etc/bind/db.block

Then we will edit db.block to look like the following

; BIND data file for local blocked website
$TTL	604800
@	IN	SOA	localhost. root.localhost. (
			      2		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;name servers
@	IN	NS	localhost.

;A records
@	IN	A

The only thing we’re adding to the file is a name server record and an A, or authoritative, record. The NS record lets it know that were the authoritative source and the A tells it where to find the website. In this case I provided the IP address of the server that houses this website. In the majority of cases though, this won’t matter much because as long as the website you want to go to has https then the browser will know the certificate is wrong and will instead serve us a warning page.

Once you have all this the only thing left to do on your server is check your configuration and restart the dns service.

service bind9 restart

Configure your network

The last thing you have to do to make this work is to change your router settings. Namely, you will need to do two things.

  1. Give your DNS server a fixed IP on the network, so that it doesn’t change every time it’s DHCP given IP expires
  2. Change your DNS settings so that it tells all machines it connects with to use your new DNS server instead of your ISP’s DNS

All routers are different, so I can’t give you specific instructions on how to do this, but it will be through a GUI instead of editing config files. It is also possible that the router doesn’t let you do one or both of these things. This is especially likely if your router was given to you by your ISP. If this is the case you will have a much harder time because you will have to configure the DNS of every machine where you want the domains blocked.

Further Reading

Digital Ocean - An Introduction To Managing DNS

This is the best DNS resource I’ve been able to find on the internet. Much of the information was taken from this website, I just condensed it and presented it as a straightforward tutorial to solve a specific problem.

Final Thoughts

The main point of doing this is to make it inconvenient to get to websites that waste your time. It will likely not be effective against determined employees or children who want to access something. For one, they could just figure out the IPs from an outside network and then type those into the browser. Although, the process may be a fun and useful exercise as it will force them, and likely you, to learn about computer networking as you both engage in increasingly complex methods to circumvent one another.

This is the first article of my new blog. It has what I consider to be the minimum viable interestingness needed to be worthy of publishing. Hopefully future posts will showcase more interesting projects, although I do like the format of interspersing technical projects with my own musings. It shows the human ends which the technical means accomplishes. Maybe that will be my niche!

Anyway please email if you have any questions, comments, or feedback. I’d love to hear it. The comment system should be up soon.


June 26, 2018, 6:51 p.m.


Billie Hedin

July 22, 2019, 9:31 p.m.

I just found out that Tony Robbins and Dean Graziosi - two people I admire the most when it comes to business, success and impact - are doing a special online training event and with this special link WE can join the training for free! Wow, just wow... This isn’t some random training... I just got the inside scoop that they will be exposing how you can profit from a pretty much “hidden” $355 million dollar a day industry that’s expected to TRIPLE within the next 5 years according to Forbes. So whether you have your own business, want to start one or just want to create more income for you and your family – you’re not going to want to miss this training right from the comfort of your own home... Even better... these guys are all about making an impact on the world and they want to help US do the same thing while WE get paid for it… Tony hasn’t done a training like this in over 10 years – so no way I’m missing it. Use this special link I got and go register now... the spots and chat are limited so make sure to show up early so we can ask them questions at the end... Isn’t it most all of our dreams to make an impact, leave a legacy and generate the type of income that allows us to have control of our time and decisions? That’s exactly what Dean & Tony have mastered like no other and for the first time ever on a training, they’re going to show us how to accomplish all of those same goals. There may never be another chance again in history to see these guys, sharing the secrets they have learned over a combined 62 years of business and impact... If you are ready for your next level then you won't want to miss this. Because if not them now... Then who and when? Use this special link I got and go register now... The spots and chat are limited so make sure to show up early so we can ask Dean and Tony questions at the end... Plus they did an all new “quick pre-event” training you’ll get instant access to once you reserve your spot. See you there