====== PFSense - DNS - Block YouTube ======
See [[Networking:DNS:Unbound:Configure Access|Configure Access]]
Navigate to **Services -> DNS Resolver**.
In **Custom Options**:
# Give pfSense a server: tag so it puts directives in correct place.
server:
# Define a new tag.
define-tag: "notube"
# Create an access-control entry.
access-control: 10.1.1.6/32 allow
# Tag the access.
# Allocate some IP ranges to the tag, repeat for more.
access-control-tag: 10.1.1.6/32 "notube"
# www.youtube.com is the only way to access youtube site.
# All other language domains redirect to www.youtube.com.
# You can verify this by the allowed domains in SSL wildcard cert - Certificate Subject Alt Name.
# The variants like -nocookie edu and yt.be don't serve content.
# The CNAME records for local caches and redirects don't serve content.
# The cert is set HSTS (strict) so won't serve on incorrect redirects.
# The plain http redirects everything to the https SSL.
# Going to myriad IP addresses redirects to google search page.
# So with local DNS control, you have tight control of access to youtube.
# This of course doesn't exclude proxies & tunnels, but these require more effort & privileges on clients.
# Create the local-zone, and allow normal service which allows non-blocked users access and allow all types like A and AAAA and CNAME.
local-zone: www.youtube.com typetransparent
# Tag the domain.
local-zone-tag: www.youtube.com notube
# Ensure local data served first.
access-control-tag-action: 10.1.1.6/32 "notube" redirect
# Send users to your polite internal block page.
access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"
**NOTE:**
* The **access-control-tag** element is used to specify the tag to use for a client addresses.
----
===== References =====
https://forum.netgate.com/topic/116690/solved-dns-different-results-for-different-clients
https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/