Need to block bad websites via the router

[RevGAM]

I would like to add a large number of websites to be blocked by my router (Linksys EA6350 V.4), because a HOSTS file is not possible with school Chromebooks. How can I easily accomplish this, and where would be the best places to find the blacklist to add? This is to keep my kids out of danger.

[Zando_]

Haven't used that specific router so I don't know what settings are available to you. If you're able to block sites from the router's settings then it will likely explain how to do so in the UI. Otherwise (if you have a PC that will run 24/7) you should be able to use something like PiHole (it can run in a VM, you do not need an actual raspberry pi to use it) to block domains, you point either the router or each computer to it as the DNS server. 

[OhYou_]

the most low effort way is to simply use one of the pre-existing kid safe dns servers and set up a secondary wireless network with the dns server put into the dhcp settings, which will be applied to clients that connect to that net.
It's pretty easy to bypass it but tbh most other solutions also have bypasses 

[Zando_]

3 minutes ago, OhYou_ said:

It's pretty easy to bypass it but tbh most other solutions also have bypasses 

Can confirm this, my parents used software that ran on windows for this, but then gave me a linux computer . 

 

A healthy relationship with your kids where you can talk about the dangers/concerns online and how to avoid the really rough stuff is just as important as any solution to try and make said stuff harder to find. But that's not really something a tech forum can advise on. 

[MelancholyBaby]

54 minutes ago, Zando_ said:

Can confirm this, my parents used software that ran on windows for this, but then gave me a linux computer . 

 

A healthy relationship with your kids where you can talk about the dangers/concerns online and how to avoid the really rough stuff is just as important as any solution to try and make said stuff harder to find. But that's not really something a tech forum can advise on. 

I tried this, even pre-approved sites for my preteen to use. 

 

Somehow a website added a hentai choice. Now octopi make my adult kid uncomfortable. He saw ten seconds of one video.

 

For the OP - does the school own the Chromebook?

[Alex Atkin UK]

3 hours ago, MelancholyBaby said:

I tried this, even pre-approved sites for my preteen to use. 

 

Somehow a website added a hentai choice. Now octopi make my adult kid uncomfortable. He saw ten seconds of one video.

 

For the OP - does the school own the Chromebook?

Education and good communication with your kids is the only way.  There is no foolproof way to block everything, I wouldn't even trust whitelisting just specific sites to work.

[RevGAM]

I am way beyond the education, communication and relationship efforts, but I really don't want to go into details. Suffice it to say that having a blocked list in the router is going to be the best choice unless Spectrum offers that sort of service on their server. I've adjusted the router's ipv4 DNS settings, but I can't figure out how to do it for ipv6.

[RevGAM]

9 hours ago, MelancholyBaby said:

I tried this, even pre-approved sites for my preteen to use. 

 

Somehow a website added a hentai choice. Now octopi make my adult kid uncomfortable. He saw ten seconds of one video.

 

For the OP - does the school own the Chromebook?

I'm sorry to hear that happened to your kid. The Chromebooks are owned by the school.

[E-waste]

DNS redirection at the router level... and then use a pi-hole virtual machine.  Then there is cellular so, not sure what to do there.

[Donut417]

On 2/7/2023 at 4:04 AM, RevGAM said:

I've adjusted the router's ipv4 DNS settings, but I can't figure out how to do it for ipv6.

I don't have that router. But looking in mine, IPv6 DNS settings were under Local Network, there was then a sub category for IPv6. Might be a place to look. 

[RevGAM]

31 minutes ago, Donut417 said:

I don't have that router. But looking in mine, IPv6 DNS settings were under Local Network, there was then a sub category for IPv6. Might be a place to look. 

Thanks! I'll check after work. 

[RevGAM]

It doesn't seem to have it.

[Shplad]

Have you considered checking whether your router hardware is supported by one of the free, open source router firmware projects available, such as FreshTomato, DD-WRT or OpenWRT?

 

FreshTomato has a built-in Ad blocking function which can allow you to choose a blocklist of domains/subdomains you want to block. You can also override that with manual blacklists and whitelist. If you can find a pre-made ilst that meets your needs, you could block all that content on the network, or even just on one subnet or one host,etcetera. I use a combination of a pre-made blocklist and some additions of my own for my daily needs. For me it's wonderful.

 

The Compatibility Matrix there doesn't list your EA6350 v4, but it lists hardware versions 1 and 2 of that model, so you might ask on the forums there if there are builds compatible with your hardware version. Sometimes, if you ask nicely, they might even do a custom build for you. The people there are generally quite helpful.

 

The wiki documtenation page for the Ad block feature is being rewritten, so it's pretty rough right now, but it's worth having a look at it. Start at the bottom, as that's the original section...geared towards beginners.

 

Which DNS filtering service have you already tried that appeared to fail you?

[RevGAM]

13 hours ago, Shplad said:

Which DNS filtering service have you already tried that appeared to fail you?

I don't have a DNS filtering service. Hopefully, your info will be the solution I need! Thanks!

[RevGAM]

7 minutes ago, TechlessBro said:

Just set local network dns from  1.1.1.1 to 1.1.1.3 that will filter malware and adult content.

 

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

 

it’s not going to log or block everything but it free and no effort.

Hmmm...I changed my Static DNS #1 & #2, but I can still access PornHub. That doesn't seem right. Did I do something wrong?

[Lurick]

15 minutes ago, RevGAM said:

Hmmm...I changed my Static DNS #1 & #2, but I can still access PornHub. That doesn't seem right. Did I do something wrong?

Did you release/renew your IP address?

command prompt

ipconfg /renew

[RevGAM]

1 hour ago, Lurick said:

Did you release/renew your IP address?

command prompt

ipconfg /renew

Interesting. Before you answered, I discovered Cloudflare Warp and installed that. Now, it's not connecting to PornHub, which is great. Even when I turn off Warp it's not, so I'm not sure if maybe it auto-renewed because I finally did that (thanks!) and it didn't make a difference - it's still blocked.

 

Now, the next question I have is, how can I set IPv6 to:

Primary DNS: 2606:4700:4700::1113
Secondary DNS: 2606:4700:4700::1003

?

I have been unable to locate this in the settings of the LinkSys EA6350 v4.

[Shplad]

DNS filtering services, such as Cloudflare, EasyDNS etc. rely on your device using plaintext requests for DNS resolution. If you use DoH (DNS over HTTPS) or other "secure" or "private DNS methods on your client devices, you'll be able to go to any domain you want, no restrictions. I don't believe there's any way around this.

 

So, I can't remember what WARP is exactly, but make sure whatever client devices you use do not use private/secure DNS resolution protocols, DoH or DNSSEC. I belive some Apple devices use them by default. Whether you can reconfigure that on each client device will be on a case-by-case basis. It will mostly depend on the nature/manufacturer of the device.

 

You'll also need to ensure that your kids' client devices are not configured to use DNS servers other than the one you chose, or again, the whole process becomes useless.

 

I suppose routers might exist that allow you to block DoH protocol requests. I really don't know.

 

Remember also that this will only block DNS lookups. If one of your kids has the current IP address of a host on the Internet to which they want to connect and their program of choice will work with that, DNS filtering will do nothing to prevent that.

 

 

 

Edited February 26, 2023 by Shplad
Additional points

[RevGAM]

25 minutes ago, Shplad said:

DNS filtering services, such as Cloudflare, EasyDNS etc. rely on your device using plaintext requests for DNS resolution. If you use DoH (DNS over HTTPS) or other "secure" or "private DNS methods on your client devices, you'll be able to go to any domain you want, no restrictions. I don't believe there's any way around this.

 

So, I can't remember what WARP is exactly, but make sure whatever client devices you use do not use private/secure DNS resolution protocols, DoH or DNSSEC. I belive some Apple devices use them by default. Whether you can reconfigure that on each client device will be on a case-by-case basis. It will mostly depend on the nature/manufacturer of the device.

 

You'll also need to ensure that your kids' client devices are not configured to use DNS servers other than the one you chose, or again, the whole process becomes useless.

 

I suppose routers might exist that allow you to block DoH protocol requests. I really don't know.

 

Remember also that this will only block DNS lookups. If one of your kids has the current IP address of a host on the Internet to which they want to connect and their program of choice will work with that, DNS filtering will do nothing to prevent that.

 

 

 

Ok, so WARP appears to be an extension of the 1.1.1.1/1.1.1.3 Cloudflare DNS system. "1.1.1.1 with WARP replaces the connection between your device and the Internet with a modern, optimized, protocol."

 

I don't have any idea if they've enabled DoH, etc. It sucks that it is so hard to protect them from themselves.

[Shplad]

The answer was right in the link you posted:

 

Quote

Last year we went one step further to make the entire connection from a device both faster and safer when we launched Cloudflare WARP. With the push of a button, users could connect their mobile device to the entire Internet using a WireGuard tunnel through a Cloudflare data center near to them. Traffic to sites behind Cloudflare became even faster and a user’s experience with the rest of the Internet became more secure and private.

So, I don't know if it will live up to the speed claim, as VPN tunnelling protocols reduce, not increase speed. But if they have caching at their end, well...maybe it does live up to the hype.

 

I doubt Warp is available for all platforms, however. Have you checked to see if your current setup requires WARP, cause if it does, your kids phones/iPads/whatever may or may not run WARP.

What devices are your kids/their friends running. Remember, you'll probably want to make sure that when their friends/bf/gf come over...

 

I have some idea what this is like. I was a psychometrist (Master's degree level equivalent of psychologist for a few years) and did counselling and assessments of kids. My Mom has a Ph.D in child psych and taught graudate students at our local university. Never give up..there are so many ways to help kids.

[Needfuldoer]

Remember to purge your PC’s DNS resolver cache in between changes when you’re testing. 
 

ipconfig /flushdns

 

[RevGAM]

2 hours ago, Shplad said:

The answer was right in the link you posted:

 

So, I don't know if it will live up to the speed claim, as VPN tunnelling protocols reduce, not increase speed. But if they have caching at their end, well...maybe it does live up to the hype.

 

I doubt Warp is available for all platforms, however. Have you checked to see if your current setup requires WARP, cause if it does, your kids phones/iPads/whatever may or may not run WARP.

What devices are your kids/their friends running. Remember, you'll probably want to make sure that when their friends/bf/gf come over...

 

I have some idea what this is like. I was a psychometrist (Master's degree level equivalent of psychologist for a few years) and did counselling and assessments of kids. My Mom has a Ph.D in child psych and taught graudate students at our local university. Never give up..there are so many ways to help kids.

Devices: Chromebooks for school, HP laptop w/W11, custom PC w/W11, Android tablet & phone, iPhone 6. I have no interest in providing access or supporting whatever their friends have, nor do they often have any over, let alone use our wifi, so no worries there.

 

BTW, Warp is restrictive enough that when I wanted to join my daughter's team in Destiny 2, the NAT (according to the game) blocked it until I turned off WARP.

 

What psychometric tools did you use?

[RevGAM]

Just now, TechlessBro said:

1.1.1.1 App for iOS iPadOS has the option under advanced / connection options / dns settings / block malware and adult content

 

being apple it used loopbacknvpn profile and gets reset every so often 

 

as someone stated above dhcp needs to renew before the DNS on. Router changes, that could be reboot or 8-12 hours depending on lease time set in dhcp server aka your router.

The only Apple device we have is an old iPhone 6, otherwise it's all Android and Windoze.

 

I still need to know how to alter the DNS settings for IPv6 on my device..

[RevGAM]

3 minutes ago, TechlessBro said:

Why even run IPv6?

what’s it used for?

 

id turn it off and see if anything breaks, windows and apple etc use IPv4 by default for most home user things.

Then what is IPv6 used for?

[Shplad]

When I mentioned the friends earlier, I think you may have misunderstood what I meant or I didn't express it well. I meant that you'll have no control over the friends' devices. So when your kids' friends/dates/whatever are over at your place, your kids will have access to whatever content the friends have access to if they don't use your DNS servers and/or if they use encrypted DNS protocols like DoH. They can also bypass all that if they have a cellular data plan and don't use your WiFi.