See Configure Access
Navigate to Services → DNS Resolver.
In Custom Options:
# Give pfSense a server: tag so it puts directives in correct place. server: # Define a new tag. define-tag: "notube" # Create an access-control entry. access-control: 10.1.1.6/32 allow # Tag the access. # Allocate some IP ranges to the tag, repeat for more. access-control-tag: 10.1.1.6/32 "notube" # www.youtube.com is the only way to access youtube site. # All other language domains redirect to www.youtube.com. # You can verify this by the allowed domains in SSL wildcard cert - Certificate Subject Alt Name. # The variants like -nocookie edu and yt.be don't serve content. # The CNAME records for local caches and redirects don't serve content. # The cert is set HSTS (strict) so won't serve on incorrect redirects. # The plain http redirects everything to the https SSL. # Going to myriad IP addresses redirects to google search page. # So with local DNS control, you have tight control of access to youtube. # This of course doesn't exclude proxies & tunnels, but these require more effort & privileges on clients. # Create the local-zone, and allow normal service which allows non-blocked users access and allow all types like A and AAAA and CNAME. local-zone: www.youtube.com typetransparent # Tag the domain. local-zone-tag: www.youtube.com notube # Ensure local data served first. access-control-tag-action: 10.1.1.6/32 "notube" redirect # Send users to your polite internal block page. access-control-tag-data: 10.1.1.6/32 "notube" "A 10.4.1.34"
NOTE: