This simple approach provides access only to whitelisted web sites. It does this by not performing DNS lookups. The methods used to block domains may be easily circumvented by those with a little knowledge and skill. I set up this whitelist in order to block my thirteen year old who lost electronic privileges for two weeks but still needed to access some sites for schoolwork.
A Raspberry Pi set up as a WiFi Access Point by following the Raspberry Pi 3 as a Simple WiFi Access Point. A Raspberry Pi 2 may also be used.
|Hostapd, Dnsmasq, and Iptables forwarding must be setup and working.|
Only configuration changes to dnsmasq are needed. Each configuration change requires a reload,
sudo service dnsmasq force-reload.
sudo nano /etc/dnsmasq.conf to:
interface=wlan0 # Use interface wlan0 listen-address=192.168.220.1 # Specify the address to listen on bind-interfaces # Bind to the interface # REMOVE server=184.108.40.206 domain-needed # Don't forward short names bogus-priv # Drop the non-routed address spaces. dhcp-range=192.168.220.50,192.168.220.150,12h # IP range and lease time # REMOVE server=220.127.116.11 # NEW ITEMS # Don't resolve any DNS, Blacklist all no-resolv # Log all queries to /var/log/daemon.log - optional but helpful log-queries # Whitelist domains to DNS lookup # uses opendns nameservers, substitute your choice # google nameservers are 18.104.22.168 and 22.214.171.124 # opendns nameservers are 126.96.36.199 and 188.8.131.52 server=/google.com/184.108.40.206 server=/google.com/220.127.116.11 server=/googleapis.com/18.104.22.168 server=/googleapis.com/22.214.171.124 server=/gstatic.com/126.96.36.199 server=/gstatic.com/188.8.131.52 server=/googleusercontent.com/184.108.40.206 server=/googleusercontent.com/220.127.116.11 server=/cpm.com/18.104.22.168 server=/cpm.com/22.214.171.124 server=/trello.com/126.96.36.199 server=/trello.com/188.8.131.52 server=/slack.com/184.108.40.206 server=/slack.com/220.127.116.11 # Needed if using opendns nameservers server=/opendns.com/18.104.22.168 server=/opendns.com/22.214.171.124 # Direct all other domains to address=/#/127.0.0.1
This will likely block a lot of domains that may be needed. While trying to use the whitelisted client, scan the logfile with
tail -F /var/log/daemon.log (CTRL-c quits). Add any needed domains to the whitelist.
The whitelist will block many domains including those needed to update the pi. To easily get around this, I made 2 dnsmasq.confs. One named dnsmasq.conf.lockdown which is shown above and the other named dnsmasq.conf.open shown in the Raspberry Pi 3 as a Simple WiFi Access Point.
To switch simply:
sudo cp /etc/dnsmasq.conf.lockdown /etc/dnsmasq.conf
sudo cp /etc/dnsmasq.conf.open /etc/dnsmasq.conf
sudo service dnsmasq restart
I find dnsutils useful for troubleshooting,
sudo apt-get install dnsutils