Block certain sites

mattrebel · February 12, 2017, 2:36pm

Dear pi-Hole team,

I’ve been looking into pi-Hole and love it so far, even told a friend of mine about it and and got him excited as well. But then he asked me if he could protect his kids from certain sites or subpages and I had to disappoint him. Would be brilliant if pi-Hole could do this for the entire network so he does not have to do this on every device.
He would for instance like to block “- YouTube, but not the entire youtube domain.

Request: Block a domain of subpages on the network.

Kind regards,
Matt

spacemonkey · February 12, 2017, 7:20pm

To filter specific URLs you would need a transparent proxy server like Squid. Pi-Hole is a DNS resolver that blocks whole domains and sub-domains.

jacob.salmela · February 12, 2017, 9:41pm

This is exactly right, but see below...

If Pi-hole was solely a DNS server, than this would be correct. However, Pi-hole also includes a Web server, which can actually handle the URLs. Here is an example that I have been experimenting with assuming adserver-us.adtech.advertising.com is a blocked domain.

By default, if you curl -I this domain, you get a response like this:

HTTP/1.1 200 OK
X-Pi-hole: A black hole for Internet advertisements.
Content-type: text/html; charset=UTF-8
Date: Sun, 12 Feb 2017 21:30:14 GMT
Server: lighttpd/1.4.35

And if you go directly to this domain, you will end up at the Pi-hole block page, which is the expected behavior.

If you go to a specific URL of that domain such as adserver-us.adtech.advertising.com/pubapi/3.0/10126.1/3891134/0/0/ADTECH;v=2;cmd=bid;cors=yes;alias=300c;misc=08098983434, you get the same results.

Now if you add the following to lighttpd.conf:

$HTTP["url"] =~ "^(/pubapi/).*" {
        url.redirect = ( "(.*)"  => "192.168.1.200"   )
}

If you curl just the domain again, you get the expected result, but if you curl a full URL of the domain, you get this:

HTTP/1.1 301 Moved Permanently
Location: 192.168.1.100
Date: Sun, 12 Feb 2017 21:58:18 GMT
Server: lighttpd/1.4.35

This shows that the redirect directive is working on the URL level and not the domain level. It would be difficult to make a rule for every part of a URL or domain and to get it to go to the right place...but like I said, I have just been experimenting with it.

So this request is out of scope for now, if not impossible.

Mcat12 · February 12, 2017, 10:26pm

Also, it would require that the domain be blocked so that the request is forwarded to the Pi-hole's web server.

spacemonkey · February 13, 2017, 8:32am

I have seen this used in a dns blocker package in pfsense, that reveals in it's log page, the url part of the blocked request, which imho is a privacy concern. I use Pi-Hole for it's simplicity - it is a lean, mean machine so to speak. It has made my internet noticeably faster.

Mcat12 · February 13, 2017, 12:04pm

You can also disable lighttpd's access log if you're concerned about privacy, because that logs all server access including blocked pages.

telekrmor · February 13, 2017, 2:27pm

Yeah, you would almost need a second Pi-hole to just forward it upstream. But again, it's totally experimental and theoretical--just fun to think about.