Introduction: Eliminating Distractions
- It could be applied only during specified times, so my internet would only be blocked during working hours leaving me free to watch youtube videos in the evening.
- It could be applied to specified devices only, so other people or devices on my network won't be affected.
The ProblemThe problem with the blog post linked above quickly becomes apparent if you want to block a "large" website, such as youtube: youtube.com may resolve to one of many IP addresses. An end user may never know all of these IP addresses, so adding them to a block list is virtually impossible---block one of these IP addresses and you may simply be directed to a different, unblocked IP address next time you try to visit the site. It's a simple problem, but not one with a straightforward solution.
- Block sites using the "TLS host" filter in the firewall rules: This never worked at all for me. The firewall rule never matched a single packet. It may have to do with the topic discussed in this forum post. However, no good solution was presented there, so I don't really care about the underlying reason it didn't work.
- Block sites using Layer 7 protocols: Not only does the MikroTik website say not to do this for efficiency reasons, it's not even guaranteed to work, especially for encrypted (HTTPS) traffic.
- Block sites using a DNS black hole: This is at least feasible, but there is one major problem: it affects all systems on the network. Great for blocking ads, but not great if I want to prevent only myself from listening to youtube livestreams while I'm supposed to be working. On top of that it often doesn't even work! DNS-over-HTTPS prevents this from working, and end users can easily bypass the restriction by changing the DNS server in their computer's settings to point to something like google (18.104.22.168) or cloudflare (22.214.171.124).
The Working Solution
- Statically resolve DNS requests for websites I want to block to a single, valid, IP address for that site.
- Go to the router's settings (I accessed mine just using the "WebFig" interface at 192.168.88.1 by default)
- Under IP->DHCP Server, select the "Networks" tab and click on the network under "defconf" to change its settings. Click the arrow next to "DNS Servers", and put the router's IP address (by default, 192.168.88.1) into the box. Click OK.
- Under IP->DNS, click on the down arrow next to "Servers" and enter 126.96.36.199 into the box (cloudflare's default DNS server). You can use different servers if you want. For example, if you have a PiHole ad-blocking DNS server on your network then you'll need to put its IP address in this field. (Though, if you have such a setup you probably already have done so.) Make sure the "Allow remote requests" box is checked. Click on "Apply".
- Under IP->DHCP Client, click on the first entry under "defconf". Uncheck "Use Peer DNS" and click "Apply". This should prevent the router from trying to use your ISP's DNS servers. (This may not be necessary.)
- Under IP->DHCP Server, select the "Leases" tab. Look for the device(s) for which you want to restrict access. Click on the address for each device, then click on the "Make static" button.
- Now that your devices will have static IP addresses, we'll add them to a list that can be used later. Go to IP->Firewall, and click on the "Address lists" tab. For each device from the previous step:
- Click on "Add New"
- In the "Name" box, enter the name of the list to create (or select the name of the list if you've already registered at least one address). I'll use "blocked_devices" for my list name.
- In the "Address" box, enter the (now static) IP of the device.
- Obtain the IP address of the domain you want to block. In my opinion, the easiest way is just to use "ping" in a terminal (e.g. "ping www.youtube.com"). Copy the IP address.
- In the router's settings, go to IP->DNS, then click on the "Static" button. Click on "Add New". Enter the full domain (e.g. "www.youtube.com") in the "Name" box, and the IP you copied in step 1 into the "Address" box. Keep the "Type" option set to "A". Click on OK.
- We'll also create a list of restricted site addresses.
- Go to IP->Firewall, and click on the "Address lists" tab again.
- Click on "Add New".
- In the "Name" box, enter the name of a different list from the one you created for your devices. I'll use "blocked_sites" for my list name here. (You can just select the existing "blocked_sites" name if you've already registered at least one address in this list.)
- In the "Address" box, enter the IP address you set for the domain.
- Click "Ok".
- Clear the router's DNS cache: Go to IP->DNS, and click on the "Cache" button. Then click "Flush cache".
- Clear your browser's DNS cache. This differs based on the browser, you'll need to check online for instructions on how to do it in yours.
- Clear your operating system's DNS cache. Once again, this may differ on different systems, so I'd recommend searching online for how to do it.
- In the router's settings, go to IP->Firewall. Click on "Add New".
- Keep the "Chain" set to "Forward".
- Next to "Src. Address List", select "blocked_devices" (or whatever you named your list of devices to be restricted).
- Next to "Dst. Address List", select "blocked_sites" (or whatever you named your list of addresses to be blocked).
- Click the arrow next to "Time". Enter the start and stop times that you want sites restricted. I wanted mine restricted from 8:00 AM until 6:30 PM, so my boxes contain "08:00:00" and "18:30:00". Also select the days on which it applies.
- Next to "Action", select "drop".
- You may want to add a comment, like "block distracting sites" to help you find the rule.
- Click "Ok".
- The new rule should now appear at the bottom of the list of rules. However, we want it to apply before any rule that explicitly allows anything. So, just use the mouse to drag the rule up the list, above any rule that "accept"s anything.
- Block the site that firefox uses to carry out DNS over HTTPS. Go to "about:config" (accept the warning; we won't change anything), and search for "trr.uri". You should see a single URL. For me, it was
Now, firefox's DNS-over-HTTPS should fail and fall back to a different option, regardless of whether it is enabled.
Should you find yourself trying to work around the blocking in the future, hopefully preventing that is simply a matter of adding another DNS server to the dns_servers list.
As a final step, repeat the procedure in section 4) above to clear any cached DNS addresses. You may need to restart your web browsers and your router before some of the changes take effect.
- Forced the router to act as a DNS server.
- Assigned static IP addresses to each device to restrict, and added these addresses to a list.
- Configured the router's DNS server to return only one IP address per site to block.
- Added the site IP addresses to a separate list.
- Created a firewall rule to block traffic going from the addresses in the device list to addresses in the site list.
- Prevented some methods for bypassing this, such as DNS over HTTPS or manual DNS server settings.