A simple DNS domain whitelister using Dnsmasq on a Raspberry Pi.
Overview
This simple approach provides access only to whitelisted web sites. It does this by not performing DNS lookups. The methods used to block domains may be easily circumvented by those with a little knowledge and skill. I set up this whitelist in order to block my thirteen year old who lost electronic privileges for two weeks but still needed to access some sites for schoolwork.
Requirements
A Raspberry Pi set up as a WiFi Access Point by following the Raspberry Pi 3 as a Simple WiFi Access Point. A Raspberry Pi 2 may also be used.
Hostapd, Dnsmasq, and Iptables forwarding must be setup and working. |
Dnsmasq
Only configuration changes to dnsmasq are needed. Each configuration change requires a reload, sudo service dnsmasq force-reload
.
Edit sudo nano /etc/dnsmasq.conf
to:
interface=wlan0 # Use interface wlan0
listen-address=192.168.220.1 # Specify the address to listen on
bind-interfaces # Bind to the interface
# REMOVE server=8.8.8.8
domain-needed # Don't forward short names
bogus-priv # Drop the non-routed address spaces.
dhcp-range=192.168.220.50,192.168.220.150,12h # IP range and lease time
# REMOVE server=8.8.8.8
# NEW ITEMS
# Don't resolve any DNS, Blacklist all
no-resolv
# Log all queries to /var/log/daemon.log - optional but helpful
log-queries
# Whitelist domains to DNS lookup
# uses opendns nameservers, substitute your choice
# google nameservers are 8.8.8.8 and 8.8.4.4
# opendns nameservers are 208.67.222.222 and 208.67.220.220
server=/google.com/208.67.222.222
server=/google.com/208.67.220.220
server=/googleapis.com/208.67.222.222
server=/googleapis.com/208.67.220.220
server=/gstatic.com/208.67.222.222
server=/gstatic.com/208.67.220.220
server=/googleusercontent.com/208.67.222.222
server=/googleusercontent.com/208.67.220.220
server=/cpm.com/208.67.222.222
server=/cpm.com/208.67.220.220
server=/trello.com/208.67.222.222
server=/trello.com/208.67.220.220
server=/slack.com/208.67.222.222
server=/slack.com/208.67.220.220
# Needed if using opendns nameservers
server=/opendns.com/208.67.222.222
server=/opendns.com/208.67.220.220
# Direct all other domains to
address=/#/127.0.0.1
This will likely block a lot of domains that may be needed. While trying to use the whitelisted client, scan the logfile with tail -F /var/log/daemon.log
(CTRL-c quits). Add any needed domains to the whitelist.
Easily switch
The whitelist will block many domains including those needed to update the pi. To easily get around this, I made 2 dnsmasq.confs. One named dnsmasq.conf.lockdown which is shown above and the other named dnsmasq.conf.open shown in the Raspberry Pi 3 as a Simple WiFi Access Point.
To switch simply:
-
Lockdown,
sudo cp /etc/dnsmasq.conf.lockdown /etc/dnsmasq.conf
-
Open
sudo cp /etc/dnsmasq.conf.open /etc/dnsmasq.conf
-
Restart dnsmasp,
sudo service dnsmasq restart
DNS Utilities
I find dnsutils useful for troubleshooting, sudo apt-get install dnsutils