Facebook / alternate blocking approach / could it work?

I don’t want to interrupt our regex discussion, so opening a new topic for this (crazy?) idea
@msatter, @Bucking_Horn, @mmotti

We are trying to block the Zuckerberg s**t, he doesn’t get our data…

I noticed all of the NS servers, handling the domains we are trying to block, using regex or blocklist, are the same:

Since we are all using unbound, I was wondering, if it would not be possible to let unbound be responsible for the domain facebook.com (act as NS server) and reply all queries with either (A) and :: (AAAA) OR NXDOMAIN. Since we are only dealing with port 53 DNS lookups, there are no certificats or anything else that would prevent this (I think).

I remember (but NOT where) @msatter was doing something like that when the first CNAME discussion appeared, it may not be applicable here.

Your thoughts please.

It’s an interesting idea, however I do not use Unbound (or Pi-hole at present), so I’m unsure of the inner workings.

If it did work, it may be a good example for power users, but I think the most effective way for the majority of people will be one or multiple regexps.

With unbound this is possible if you are using authorative resolving.

Many facebook, etc use facebook.com as cname, so there, the cname in Pi-hole is already active.


www.facebook.com.       3600    IN      CNAME   star-mini.c10r.facebook.com.
star-mini.c10r.facebook.com. 300 IN     A

api.facebook.com.       3600    IN      CNAME   star.c10r.facebook.com.
star.c10r.facebook.com. 300     IN      A
www.instagram.com.      3600    IN      CNAME   z-p42-instagram.c10r.facebook.com.
z-p42-instagram.c10r.facebook.com. 300 IN A
www.fb.me.              7040    IN      CNAME   www.facebook.com.
www.facebook.com.       3271    IN      CNAME   star-mini.c10r.facebook.com.
star-mini.c10r.facebook.com. 300 IN     A

www.freebasic.com.      7200    IN      CNAME   star.c10r.facebook.com.
star.c10r.facebook.com. 157     IN      A

Maybe now we have only to enter bare domains (facebook.com) and the rest will be blocked by CNAME as is done for the bare domain in the blacklist.

Putting just only facebook.com in the blacklist already block these all through CNAME. This can also work negative because the ones wanting to use facebook can’t. A facebook.com in whitelist will overrule that. It is slower because a resolv is made and not blocked in a earlier stage. See it more as a simple on/off switch for facebook.

It won’t catch all because of there are also domains by facebook that don’t have a CNAME to facebook.com .

User has only to press the whitelist button to have access again to facebook.

Some brainstorming:
Maybe can be made simple for users to have short list of social media and they then tick the box which should be blocked.

www.twitter.com.        600     IN      CNAME   twitter.com.
twitter.com.            1794    IN      A
twitter.com.            1794    IN      A