Domain or IP Redirect

Started by Shart, December 07, 2021, 05:34:56 PM

Previous topic - Next topic
I would like to redirect youtube.com to youtubekids.com for specific MAC addresses on my local network.. I have tried doing this by creating an alias for the local mac addresses and then using a NAT outbound rule using the IP addresses of the websites but it doesn't work. I have no clue how to do this, any suggestions?

Probably a task better suited on DNS. I'm pretty sure I saw an option to rewrite on Adguard home.

I'll start poking around. I'm using Unbound DNS with blocklists. Not sure about Adguard.

It doesn't have to be Adguard. What you want to do is possible with firewall rules but they work on IPs, not on domains, so the translation is needed first but then you want it selective i.e. only for some clients. I don't know if domain overrides in Unbound could be used.
Anyway, if you post what you've setup and what you see when "it doesn't work", I'm sure you'll get better help.

Thanks.. you actually got me looking at the AdGaurd plugin. I am not sure it was a thing when I setup Unbound.

I will have to setup some more alias's for a block of IP addresses. I looked at domain overrides but that would be for everyone.  I'll keep poking around.

BTW you don't have to chose Adguard Home (AGH) over Unbound. I and others use them together.
ADG for dns filtering (what you want) and Unbound for the rest.
As I say, I have them running together. Let me try this for you.

I tried quickly and the DNS rewrite works but.. I could only apply it globally in my setup ie not only for the specified client. Maybe it needs to be setup the other way around, with everyone else not using the global settings.
Either a question on AGH forum. Maybe also it needs a specific rule in their own syntax.
Either way, it might be an avenue to explore more or back to your original thinking of using OPN built-in features.

Thanks for trying it out. I did see that it could be done globally but with only select clients is why I was trying alias's through the firewall. I thought perhaps I could have those clients go through a virtual nic and possibly apply those settings but I still don't see that being the case once you involve DNS, which is where I think it needs to happen.

No problem. It reminded me I wanted to do something similar, do a custom block not a rewrite for a specific client and it didn't work. The blocking has been fixed in a latest beta of ADG. I need to ask mimugmail if I can upgrade to test that, but I can ask the question of the rewrite in the ADH forum.

Yep, dns rewrites per client works.
Tested with ADG Version: v0.107.0-b.15 and a custom filtering rule on it:
example.org^$important,client='test',dnsrewrite=freebsd.org
and a client created. I created one called test and with the rule above I made only that client redirect example.org to freebsd.org. All nice and dandy.
A redirect instead to youtubekids.com gave me a google 404 so you need to take it from here if you want to use this potential solution.

Ok.. so I don't think I can do what I want to do without being a major headache. What I'm think of doing is doing the full parental control situation but setting up another DNS service or using my pi-hole (which is my backup DNS) or AdGaurd Home and having very strict blocking of sites and ads etc. Then sending my kids iPads and computers through that DNS server.

Is this possible? Can I create a firewall rule that sends certain computers to a different DNS?

I've tried doing it through a NAT port redirect but doesn't seem to work.

December 12, 2021, 11:23:09 PM #12 Last Edit: December 13, 2021, 03:20:07 AM by baz
I understand that this use-case is for kids and such, but for argument's sake, redirecting dns is generally a weak solution for blocking sites - given that users can look up, and visit, ip's directly. Ad-blocking is different because users are willing participants in the blocking, but when users are adversarial, dns blocking is little more than superficial. The only adequate solution is to block sites through the firewall, which unfortunately is almost impossible given how sophisticated networks have become with geo-location, load-balancing, cdns, etc. Again, just chatting, dns blocking for young kids at home is more than fine.